MIT/LCS/TR-548 


A  timing  analysis 

OF 

level-clocked  CIRCDITRY 


Alexander  T,  Ishii 
Charles  E.  Leiserson 


September  1992 


REPORT  DOCUMENTATION  PAGE 


form  Approved 
0MB  No.  0704^0788 


_  _ _ 1 _ 

^uotic  'eporting  ourocn  tor  tmt  coKeaion  of  mrormation  is  mimateo  to  average  ■  *'ouf  oer  resoonse.  including  tnc  time  tor  reviewing  instruaions.  searenmg  ensting  aata  sources, 
gatherino  ano  maintaining  tne  data  needed,  and  comoieting  and  reviewing  tne  coitcctton  of  mtormation.  Send  comments  reoaroing  this  ourden  estimate  or  anv  other  asoect  of  this 
collection  or  information,  including  suggestions  for  reducing  tnis  ouroen  to  wVasmngton  Heeoduaners  Services.  Oirectorate  for  information  Ooerations  and  Aeoons.  I215  ierferson 
Oavis  Highway  Suite  1204  Arlington.  VA  22202-4302.  and  to  the  Office  of  Management  and  Budget.  Paoerworc  ReduaionProiea(07QAO  188).  Washington.  uC  20S03. 


1.  AGENCY  USE  ONLY  (Leave  blank) 

2.  REPORT  DATE 

3.  REPORT  TYPE  AND  OATES  COVERED 

4.  TITLE  AND  SUBTITLE 

S.  FUNDING  NUMBERS 

A  Timing  Analysis  of  Level-Clocked  Circuitry 

6.  AUTHOR(S) 

Ishii,  A.  T.,  Leiserson 

C.  E. 

7.  PERFORMING  ORGANIZATION  NAME(S)  ANO  AOORESS(ES) 

a.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

MIT,  Laboratory  for  Computer  Science 

545  Technology  Square 
Cambridge,  MA  02139 

MIT/LCS/TR-548 

9.  SPONSORING /MONITORING  AGENCY  NAME(S)  AND  AOORESS(ES) 

10.  SPONSORING /MONITORING 

AGENCY  REPORT  NUMBER 

DARPA 

N00014-91-J-1698 

11.  SUPPLEMENTARY  NOTES 

12a.  DISTRIBUTION /AVAILABILITY  STATEMENT 

12b.  DISTRIBUTION  CODE 

13.  ABSTRACT  (Maximum  200  words) 


This  paper  presents  an  algorithm  for  verifying  proper  timing  in  VLSI  circuits  where  latches  are  controlled 
by  the  levels  (high  or  low)  of  the  controlling  clocks  rather  than  the  transitions  (edges)  of  the  clocks.  Such 
level-clocked  circuits  are  frequently  used  in  MOS  VLSI  design.  A  level-clocked  circuit  is  modeled  as  a 
graph  G  =  {V,E),  where  V  consists  of  components — latches  and  functional  elements — and  E  represents 
intercomponent  connections.  The  algorithm  verifies  the  proper  timing  of  a  circuit  in  worst-case  0(|V||£'|) 
time  and  0{\V\  \E\)  space. 

Our  analysis  decouples  the  problem  of  generating  timing  constraints  from  the  problem  of  efficiently 
checking  them.  We  show  how  various  “base  step”  functions  can  be  used  to  provide  sufficient  conditions  for 
a  circuit  to  operate  properly,  and  we  provide  a  new  base  step  function  which  is  less  pessimistic  than  those 
used  in  previous  timing  verifiers,  yet  correctly  handles  timing  constraints  that  are  “cyclic”  or  extend  across 
the  boundaries  of  multiple  clock  phases  or  cycles.  The  base  step  function  is  used  to  derive  a  “computational 
expansion”  of  the  circuit  from  which  a  collection  of  simple  linear  constraints  are  derived.  These  constraints 
can  be  efficiently  checked  using  standard  graph  algorithms. 


14.  SUBJECT  TERMS 

VLSI  systems,  level-clocking,  timing  constraints,  timing  analysis,  timing  verification,  compi 
expansions,  delta-constraints,  formal  modeling,  graph  algorithm  applications,  algorithmic 

15.  .NUMBER  OF  PAGES 

32 

jtational  ^oe  - 

tehniques 

17.  SECURITY  CLASSIFICATION 

OF  REPORT 

18.  SECURITY  CLASSIFICATION 

OF  THIS  PAGE 

19.  SECURITY  CLASSIFICATION 

OF  ABSTRACT 

20.  LIMITATION  OF  ABSTRACT 

'iSN  75-10-0 1-280-5500  Stancara  =orm  298  (8ev  2-89) 


Cv  ansi  jto  239- '8 


298-102 


A  Timing  Analysis  of  Level-Clocked  Circuitry 


Alexander  T.  Ishii 
Charles  E.  Leiserson 


Laboratory  for  Computer  Science 
Massachusetts  Institute  of  Technology 
Cambridge,  Massachusetts  02139 

July  22,  1992 


Abstract 

This  paper  presents  an  algorithm  for  verifying  proper  timing  in  VLSI  circuits  where  latches  are  controlled 
by  the  levels  (high  or  low)  of  the  controlling  clocks  rather  than  the  transitions  (edges)  of  the  clocks.  Such 
level-clocked  circuits  are  frequently  used  in  MOS  VLSI  design.  A  level-clocked  circuit  is  modeled  as  a 
graph  G  =  {V,E),  where  V  consists  of  components — latches  and  functional  elements — and  E  represents 
intercomponent  connections.  The  algorithm  verifies  the  proper  timing  of  a  circuit  in  worst-case  0(|V||£'|) 
time  and  0{\V\  +  |jE|)  space. 

Our  analysis  decouples  the  problem  of  generating  timing  constraints  from  the  problem  of  efficiently 
checking  them.  We  show  how  various  “base  step”  functions  can  be  used  to  provide  sufficient  conditions  for 
a  circuit  to  operate  properly,  and  we  provide  a  new  base  step  function  which  is  less  pessimistic  than  those 
used  in  previous  timing  verifiers,  yet  correctly  handles  timing  constraints  that  are  “cyclic”  or  extend  across 
the  boundaries  of  multiple  clock  phases  or  cycles.  The  base  step  function  is  used  to  derive  a  “computational 
expansion”  of  the  circuit  from  which  a  collection  of  simple  linear  constraints  are  derived.  These  constraints 
can  be  efficiently  checked  using  standard  graph  algorithms. 

Keywords;  VLSI  systems,  levv.i  locking,  timing  constraints,  timing  analysis,  timing  verification,  computa¬ 
tional  expansions,  delta-constraints,  formal  modeling,  graph  algorithm  applications,  algorithmic  techniques. 
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Figure  1:  An  abstract  representation  of  a  level-clocked  circuit  is  shown,  along  with  its  associated  clocking  waveforms.  Each 
circle  represents  a  functional  element  ( e.g.,  block  of  combinational  logic)  which  has  associated  with  it  a  label  and  a  propagation 
delay.  Each  rectangle  in  the  figure  represents  a  level-clocked  latch  which  has  £kSsociated  with  it  a  label  and  a  controlling  clock 
waveform. 


1  Introduction 

MOS/VLSI  technology  has  popularized  a  methodology  of  clocking  based  on  level-clocked  latches  instead  of 
the  more  traditional  edge-triggered  latches  used,  for  example,  in  TTL  [20]  design.  The  popularity  of  level¬ 
clocking  arises  from  the  simplicity  with  which  a  level-clocked  latch  can  be  implemented  in  MOS  technologies: 
a  single  transistor  can  suffice  [6,  13].  Unfortunately,  level-clocking  methodologies  make  the  problem  of 
determining  whether  a  circuit  is  properly  clocked  a  difficult  one,  because  changes  in  the  output  of  a  latch 
need  not  closely  correspond  to  transitions  in  its  clocking  waveform.  In  contrast,  the  output  of  an  edge- 
triggered  latch  changes  only  on  a  transition  of  its  clock,  and  consequently,  the  propagation  of  computation 
through  the  circuit  can  be  more  easily  tracked. 

To  illustrate  the  basic  concepts  of  level-clocked  circuit  operation,  consider  the  circuit  depicted  in  Figure  1. 
(A  similar  example  is  discussed  in  [6,  p.  334].)  Each  circle  in  the  figure  represents  a  functional  element  (e.(/., 
block  of  combinational  logic)  which  has  associated  with  it  a  label  and  a  propagation  delay.  The  propagation 
delay  of  a  functional  element  specifies  the  “settling”  time  required  for  the  output  to  assume  its  correct  value 
after  an  input  changes.  Until  it  settles,  the  value  of  the  output  is  considered  to  be  undefined.  Each  rectangle 
in  the  figure  represents  a  level-clocked  latch  which  has  associated  with  it  a  label  and  a  controlling  clock. 
While  the  clock  for  a  latch  is  high,  the  output  of  the  latch  is  equal  to  its  input.  When  the  clock  changes  to 
low,  the  latch  stores  the  value  of  its  input  and  outputs  this  value  until  the  clock  changes  back  to  high. 

A  natural  question  to  ask  is  whether  the  circuit  of  Figure  1,  with  the  propagation  delays  and  clocking 
waveforms  shown,  computes  properly.  For  example,  after  suitable  initialization  of  latch  outputs  at  start-up, 
do  all  latches  always  hold  well-defined  values?  It  might  appear  that  the  answer  is  no,  because  of  the  following 
fallacious  reasoning.  At  time  12,  the  input  of  Latch  C  should  be  the  result  of  applying  the  function  computed 
by  B  to  the  output  of  Latch  D  at  time  9.  Thus,  B  may  have  to  start  a  computation  at  time  9  and  finish  by 
time  12,  i.e.,  finish  in  3  time  units,  but  its  propagation  delay  is  4  time  units,  which  is  too  long. 

This  reasoning  is  improper  because  the  computation  of  B  can  always  begin  before  time  9.  To  see  this, 
look  back  at  the  output  of  Latch  C,  which  we  presume  must  have  a  proper  value  at  time  3  when  clock  <i>\ 
goes  low.  At  time  8  the  output  of  A  has  settled,  and  since  clock  (^2  is  high,  this  value  passes  immediately 
to  the  output  of  Latch  D.  Thus,  since  the  output  of  C  can  not  change  between  times  3  and  10,  B  can 
always  begin  its  computation  by  time  8  instead  of  time  9,  as  in  the  fallacious  analysis,  and  the  computation 
must  complete  successfully  by  time  12.  Observe  that  Latch  D  transmits  a  value  at  a  time  distinct  from  any 
transition  of  its  clock.  This  is  in  contrast  to  the  situation  where  all  latches  are  edge-triggered,  in  which  case 
the  time  at  which  a  latch  transmits  a  value  corresponds  directly  to  a  transition  of  its  clock. 

The  circuit  of  Figure  1  illustrates  the  most  basic  type  of  “timing  constraint”  that  must  be  met  to  ensure 
proper  circuit  operation.  In  general,  computations  are  constrained  to  occur  between  the  rising  edge  of  one 
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Figure  2:  A  circuit  which  demonstrates  some  of  the  subtleties  of  level-clocked  circuitry. 


clock  and  the  next  falling  edge  of  another.  For  example,  between  the  rising  edge  of  <i>i  at  time  1  and  the 
falling  edge  of  4)2  at  time  9,  A  must  be  able  to  take  a  new  input  and  compute  a  new  output.  Thus,  the 
propagation  delay  5  of  yl  must  be  less  than  the  amount  of  time  between  the  rising  edge  of  4>i  and  the  falling 
edge  of  4>2,  i  e-i  less  than  8.  Similarly,  the  propagation  delay  4  of  13  must  be  less  than  the  amount  of  time 
between  the  rising  edge  of  4>2  at  time  7  and  the  falling  edge  of  4>i  at  time  12,  i.e.,  less  than  5.  These  two 
constraints  on  the  propagation  delays  of  functional  elements  are  examples  of  the  delay  constraints  that  have 
been  widely  recognized  in  the  literature  [1,  4,  6,  8,  9,  11,  14,  15,  16,  17,  18,  21,  22]. 

The  circuit  also  illustrates  the  scheduling  constraints  that  have  been  considered  by  previous  timing  anal¬ 
yses.  Intuitively,  scheduling  constraints  require  that  functional  elements  not  begin  using  their  inputs  before 
the  inputs  are  in  fact  available.  For  example,  if  A  receives  a  new  input  just  as  4>\  falls  at  time  3,  then  the 
new  output  of  A,  which  presumably  propagates  through  latch  D  between  times  7  and  9,  is  not  ready  until 
time  8.  Thus,  the  computation  of  B  is  constrained  not  to  begin  until  time  8  which  in  turn  implies  that  the 
output  of  B  will  not  be  ready  until  time  12,  when  4>i  falls.  Observe  that  since  the  output  of  B  is  ready  by 
the  falling  edge  of  4>i,  we  have  in  effect  found  a  consistent  “schedule”  that  has  A  computing  between  the 
fall  of  4>i  and  one  time  unit  before  the  fall  of  <^2i  and  has  B  computing  between  one  time  unit  before  the 
fall  of  4>2  and  the  fall  of  4>i-  If  the  propagation  delay  of  A  were  6,  instead  of  5,  no  consistent  schedule  would 
be  possible,  since  the  computation  of  A  would  have  to  start  before  the  fall  of  4>i  ■  The  impossibility  of  a 
consistent  schedule  would  constitute  a  scheduling  constraint  violation. 

The  more  complex  circuit  depicted  in  Figure  2,  demonstrates  some  of  the  subtleties  that  can  arise  in 
level-clocked  circuitry.  For  example,  notice  that  when  4>i  goes  high  at  time  10,  functional  element  B  begins 
a  computation  whose  result  must  “flow  through”  latch  G  before  4>i  goes  low  at  time  12.  Thus,  the  circuit 
contains  a  delay  constraint  that  occurs  between  transitions  that  are  part  of  the  same  clock.  In  addition,  the 
time  between  the  rise  of  i^i  at  time  10  and  the  fall  of  4>3  at  time  18  must  be  at  least  the  propagation  delay 
6  of  C  plus  the  propagation  delay  1  of  B,  rather  than  Just  the  propagation  delay  of  C.  As  another  example, 
notice  that  along  the  path  F  —*  C  —>7,  there  is  an  apparent  delay  constraint  violation.  Specifically,  there 
are  only  5  time  units  between  the  rise  of  4>2  time  13  and  the  fall  of  1^3  at  time  18,  while  the  delay  of  C  is 
6  time  units.  In  fact,  since  4>3  is  never  high  between  time  6  and  time  15,  the  output  of  D  during  times  13 
thru  15  must  be  the  same  as  it  was  at  time  6.  Thus,  no  new  computation  by  C  can  begin  between  times  13 
and  18,  so  the  violated  delay  constraint  was  in  fact  “fictitious.” 
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Figure  3:  (a)  A  functional  element  has  some  finite  number  k  of  inputs  xi  through  a  single  output  y,  an  associated  ib-input 
function  /,  and  a  propagation  delay  d.  (b)  A  level-clocked  latch  has  a  single  input  x,  a  single  output  y,  and  an  associated 
digital  clock  <i>. 


In  the  literature,  several  attempts  have  been  made  to  develop  timing  analytical  techniques  for  level- 
clocked  circuitry,  as  well  as  to  develop  algorithms  and  heuristics  to  perform  analysis  automatically  [1,  4,  8, 
9,  11,  14,  15,  16,  17,  18,  21,  22].  These  authors  have  addressed  both  delay  and  scheduling  constraints  in 
their  timing  analyses.  They  have  also  provided  algorithms  that  are  well  suited  to  the  circuits  for  which  they 
were  developed.  In  general,  however,  previous  timing  analysis  methods  have  either  applied  only  to  specific 
clocking  disciplines  [1,  9,  11,  14,  15,  16,  21]  or  have  checked  scheduling  constraints  by  using  some  type  of 
iterative  approximation  or  relaxation  technique  to  verify  the  existence  of  some  consistent  schedule  [1,  4,  8, 
11,  17,  18,  22]. 

While  working  well  in  practice,  the  iterative  approximation  and  relaxation  techniques  used  by  previous 
timing  analysis  systems  are  not  guaranteed  to  run  in  polynomial  time.  These  techniques  all  fall  prey  to 
pathological  worst  cases  where  each  successive  approximation,  or  relaxation,  moves  the  analysis  only  some 
small  increment  toward  the  desired  final  solution.  In  such  worst  cases,  the  running  time  of  the  analysis  can 
change  drastically  in  response  to  a  very  small  change  in  the  circuit  being  analyzed.  For  example,  simply 
changing  the  delay  of  a  functional  element  from  1  nanosecond  to  999  picoseconds  might  cause  over  an  order 
of  magnitude  change  in  the  running  time  of  the  analysis. 

In  this  paper,  we  present  a  polynomial-time  algorithm  to  determine  whether  a  given  level-clocked  circuit 
operates  properly.  Our  algorithm  can  handle  arbitrarily  complex  clocking  disciplines,  and  verifies  the  proper 
operation  of  a  circuit  in  worst  case  0((V'||£'()  time  and  0(1^1  +  |£J|)  space.  If  circuit  components  have 
bounded  fanout,  then  the  algorithm  runs  in  0(|V|^)  time.  In  addition,  our  algorithm  can  identify  certain 
types  of  fictitious  delay  constraints,  and  thus  is  less  pessimistic  than  previous  methods. 

Our  algorithm  is  based  on  an  analysis  technique  called  computational  expansion,  which  provides  a  succinct 
set  of  provably  sufficient  conditions  for  the  proper  operation  of  a  level-clocked  circuit.  The  computational 
expansion  is  in  turn  based  on  a  choice  of  “base  step”  function,  which  encapsulates  sufficient  conditions 
for  the  circuit  to  operate  properly.  We  provide  one  such  base  step  function  that  subsumes  the  timing 
constraints  considered  by  others.  Using  the  computational  expansion,  we  derive  a  set  of  sufficient  conditions 
that  can  be  reduced  to  a  collection  of  simple  linear  constraints.  These  constraints  can  then  be  checked 
using  standard  polynomial-time  graph  algorithms,  and  thus  our  algorithm  avoids  the  potential  for  extreme 
worst-case  running  times  which  are  associated  with  iterative  approximation  techniques. 

The  remainder  of  this  paper  is  organized  aa  follows.  Section  2  gives  our  formal  model  for  level-clocked 
circuits.  Section  3  defines  the  concept  of  a  computational  expansion  of  a  circuit,  that  is  used  in  Section  4 
to  derive  sufficient  conditions  for  proper  circuit  operation.  Section  5  examines  methods  for  checking  the 
sufficient  conditions,  and  presents  an  algorithm  that  verifies  whether  a  circuit  operates  properly  over  some 
finite  interval  of  time.  Section  6  contains  our  principal  contribution:  a  polynomial-time  algorithm  for 
verifying  the  proper  operation  of  circuits  that  use  an  arbitrary  periodic  set  of  clocks.  Section  7  presents 
some  concluding  remarks. 

2  Level-Clocked  Circuits 

In  this  section  we  present  the  formal  models  upon  which  our  timing  analysis  algorithms  are  based.  Mathe¬ 
matical  definitions  are  given  for  functional  elements,  level-clocked  latches,  level-clocked  circuits,  and  proper 
circuit  operation.  Intuitive  descriptions  are  provided  where  appropriate. 

A  functional  element  has  some  finite  number  of  inputs  ii,  xj, . . . ,  it,  a  single  output  y,  a  ib-input  function 
/,  and  a  propagation  delay  d,  as  shown  in  Figure  3(a).  The  value  of  the  output  y  at  time  t  is  given  by  the 
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Intuitively,  a  functional  element  is  a  block  of  combinational  logic  whose  output  is  some  function  /  of  its 
inputs.  The  propagation  delay  d  of  the  functional  element  is  a  “settling”  time  that  indicates  the  amount  of 
time  required,  after  an  input  changes  value,  for  the  output  to  assume  its  correct  value.  The  invalid  value  ± 
indicates  that  the  output  has  no  well-defined  value.  An  input  is  stable  over  an  interval  of  time  if  it  assumes 
a  constant  valid  value  over  the  interval.  By  definition,  a  stable  input  is  constant.  A  constant  input  need  not 
be  stable,  however,  since  an  input  could  be  constant  with  the  invalid  value  ±. 

There  are  two  features  of  equation  1  that  should  be  noted.  First,  if  an  input  changes  value,  the  output 
immediately  takes  on  the  value  X  and  does  not  become  valid  until  a  time  equal  to  the  propagation  delay 
d  after  the  change  in  the  input.  Thus,  the  “minimum”  propagation  delay,  or  “contamination”  delay,  of 
functional  elements  is  assumed  to  be  0,  and  d  in  fact  represents  the  “maximum”  propagation  delay  of  a 
functional  element.  Second,  if  any  input  is  JL  at  time  t  it  is  not  stable  at  time  t,  by  definition,  and  thus  the 
output  must  be  ±.  There  are  functional  elements,  such  as  a  common  MOS  NOR  gate,  where  a  changing  or 
undefined  input  does  not  necessarily  imply  an  undefined  output.  Our  algorithms  do  not  directly  exploit  this 
aspect  of  such  functional  elements. 

Functional  elements  can  be  used  to  represent  more  general  circuit  components,  much  as  ideal  electrical 
components,  such  as  ideal  resistors,  capacitors,  and  inductors,  are  used  to  model  real  physical  devices  [2].  For 
example,  a  circuit  component  with  multiple  outputs  can  be  represented  with  several  one-output  functional 
elements.  As  another  example,  a  circuit  component  whose  propagation  delay  varies  with  the  input  can  be 
represented  with  a  zero-delay  functional  element,  each  of  whose  inputs  is  the  output  of  a  functional  element 
that  computes  the  identity  function  and  whose  propagation  delay  is  the  input-to-output  propagation  delay 
of  the  original  functional  element. 

In  order  to  simplify  the  explanation  of  our  algorithms,  we  assume  that  clock  waveforms  always  have 
well-defined  values.  Formally,  a  clock  is  a  mapping  from  IR  U  {— oo}  to  {High,  Low},  such  that  the  set 
{t  :  <j>  has  value  High  at  time  <}  is  a  set  of  nonoverlapping  closed  intervals,  and  4>  changes  value  only  a  finite 
number  of  times  during  any  finite  interval.  Observe  that  the  set  {<  :  has  value  Low  at  time  t)  is  a  set 
of  nonoverlapping  open  intervals,  and  thus,  when  ^  changes  value  from  High  to  Low,  there  exists  a  well 
defined  last  moment  in  time  when  <f>  has  value  High,  but  no  well  defined  first  moment  when  <f>  has  value  Low. 
Similarly,  when  <t>  changes  value  from  Low  to  High,  there  exists  a  well  defined  first  moment  in  time  when 
<j>  heis  value  High,  but  no  well  defined  last  moment  when  d)  has  value  Low.  This  definition  is  a  somewhat 
arbitrary  convention,  which  has  been  chosen  for  the  sake  of  descriptional  brevity.  A  more  general  model  can 
be  found  in  [10]. 

A  level-clocked  latch  has  a  single  input  z,  a  single  output  y,  and  a  controlling  clock  (t>,  as  shown  in 
Figure  3(b).  The  value  of  the  output  y  at  time  t  is  given  by  the  equation: 


{z(<)  if  <t>(t)  =  High 

!l{<>high)  if  <^(0  =  Low  and 

4high  =  sup  {<'<«:  d>{t')  =  High} 


(2) 


We  generally  refer  to  a  level-clocked  latch  as  simply  a  latch.  While  the  clock  for  a  latch  has  value  High,  the 
output  of  the  latch  is  equal  to  its  input.  When  the  clock  changes  value  to  Low,  the  latch  stores  the  value 
of  its  input  at  the  “last  moment”  when  the  clock  had  value  High,  and  outputs  this  value  until  the  clock 
changes  value  back  to  High.  The  propagation  delay  of  a  latch  is  assumed  to  be  zero.  Latches  with  nonzero 
propagation  delays  can  be  modeled  by  combining  zero-delay  latches  with  “padding”  functional  elements  that 
compute  the  identity  function. 

Functional  elements  and  level-clocked  latches  are  the  two  types  of  components  that  level-clocked  circuits 
are  constructed  from.  A  level-clocked  circuit  is  a  directed  graph  G  =  {V,  E),  where  K  is  a  set  of  components 
consisting  of  functional  elements  and  level-clocked  latches,  and  (u,v)  €  if  the  output  of  u  is  an  input 
of  t;.  We  assume  without  loss  of  generality  that  each  component  has  exactly  one  input  edge  for  each  of 
its  inputs.  (Any  bus-like  structures  where  multiple  components  drive  a  single  wire  can  be  modeled  by  a 
functional  element  with  an  input  for  each  component  that  can  drive  the  bus,  and  an  associated  function  that 
can  “resolve”  bus  conflicts.) 
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For  convenience,  we  generally  refer  to  a  component  and  its  output  interchangeably.  In  particular,  we 
often  refer  to  the  output  of  a  component  by  making  reference  to  the  component  itself  Both  a  component  v 
and  its  output  are  said  to  stabilize  at  time  t  if  the  output  of  v  changes  to  a  valid  value  at  time  t.  Similarly, 
both  V  and  its  output  are  said  to  destabilize  at  time  t  if  the  output  of  v  changes  to  ±  at  time  t.  Finally,  both 
V  and  its  output  are  said  to  transition  .-^t  time  t  if  v  either  stabilizes  or  destabilizes  at  time  t. 

A  clock  set  for  a  level-clocked  circuit  G  is  a  set  containing  a  clock  (clocking  waveform)  <t>  for  each  level- 
clocked  latch  in  G.  Our  timing  analysis  algorithms  can  be  applied  to  any  clock  set  with  the  following 
properties: 

1.  The  set  is  finite,  and  its  elements  are  fully  specified  clocks. 

2.  For  any  time  t,  every  cycle  in  G  contains  at  least  one  latch  whose  clock  has  value  Low  at  time  t. 

Clock  sets  with  the  second  property  are  said  to  be  fully  synchronous.  Our  analysis  and  algorithms  are  not 
directly  applicable  to  circuits  that  “gate”  their  clock  signals  and/or  rely  on  “two-sided”  timing  constraints  [6]. 
In  addition,  we  assume  for  simplicity  that  there  exists  a  start  time  to  >  -oo,  such  that  all  clocks  in  are 
constant  over  the  interval  [— oo,<o].  Henceforth,  we  assume  these  properties  hold. 

In  general,  the  clocks  in  a  clock  set  are  assumed  to  repeat  after  some  finite  amount  of  time.  A  clock  set 
$  is  periodic,  if  there  exists  a  strictly  positive  real  number  ir,  such  that  4>{t)  =  d){t  +  ir)  for  all  t  >  to  and 
0  €  The  number  ir  is  the  period  of  $. 

For  any  time  t  and  clock  set  $  it  is  possible  to  divide  the  interval  [-oo,  t]  into  a  finite  number  of  intervals, 
or  steps,  during  which  all  clocks  in  hold  constant  values.  Steps  are  ordered  in  the  natural  fashion,  and  we 
denote  the  k^^  step  of  the  clock  set  by  its  index  k  or  by  its  endpoints  (<*,  tt+i).  (The  delimiters  “(”  and  “)” 
simply  indicate  that  whether  the  ends  of  an  interval  are  open  or  closed  depends  on  context.)  By  convention, 
the  interval  [— oo,  <o]  is  the  —1**  step  of  the  clock  set,  and  always  denotes  the  starting  endpoint  of  the 
step. 

Our  definition  of  proper  circuit  operation  is  based  on  a  concept  of  “ideal  outputs.”  We  assume  that  an 
ideal  circuit  is  one  whose  components  have  infinitesimal  propagation  delays.  The  ideal  output  of  a  component 
at  time  t  is  the  output  at  time  t  of  the  corresponding  component  in  a  structurally,  and  functionally,  equivalent 
ideal  circuit.  A  circuit  is  said  to  operate  properly,  if  for  all  time  t  the  outputs  of  latches  whose  clocks  are 
Low  at  time  t  are  equal  to  their  ideal  outputs.  This  definition  of  proper  operation  is  similar  to  the  definition 
of  “correct  behavior”  used  by  Szymanski  [18],  and  the  definition  of  “intended  behavior”  used  by  Weiner  and 
Sangiovanni-Vincentelli  [22]. 

3  Computational  Expansions 

In  this  section,  we  show  how  to  construct  circuits  that  perform  in  a  combinational  fashion  the  same  com¬ 
putation  as  a  given  circuit  G.  The  construction  essentially  makes  multiple  copies  of  components  in  G  and 
connects  them  together  in  such  a  way  that  for  every  possible  transition  by  some  component  in  G,  there 
exists  a  copy  of  the  component,  in  the  combinational  circuit,  which  computes  the  value  that  the  component 
transitions  to.  The  resulting  combinational  circuit  is  a  “computational  expansion”  of  G.  Our  timing  analysis 
algorithms  are  based  on  the  strong  correlations  that  exist  between  the  operation  of  G  and  the  operation  of 
a  corresponding  computational  expansion. 

Consider  the  circuit  G'  shown  in  Figure  4.  The  circuit  consists  of  copies  of  the  components  from  the 
circuit  G  in  Figure  1.  Groups  of  components  in  G'  are  associated  with  steps  of  the  clock  set  and 

we  use  Vk  to  denote  the  copy  of  component  v,  in  G,  that  is  in  the  group  associated  with  step  k.  Latches 
associated  with  step  -1  have  constant  Low  clocks,  while  all  other  latches  have  constant  High  clocks. 

The  circuit  G'  performs  in  a  combinational  fashion  the  same  computation  as  the  circuit  G.  If  both  <i>i 
and  d>2  have  value  Low  for  all  time  less  than  0,  and  the  latches  C_i  and  D_i  (in  G')  are  initialized  so  that 
they  output  the  values  that  C  and  D  (in  G)  hold  at  time  0,  then  the  ideal  output  of  any  component  in  G 
over  the  interval  [— oo,  1)  is  eventually  settled  to  by  a  component  associated  with  step  —1  in  G'.  Similarly, 
the  ideal  output  of  any  component  in  G  over  the  interval  [1,3]  is  eventually  settled  to  by  some  component 
associated  with  steps  —1  and  1  in  G'.  In  fact,  the  ideal  output  of  any  component  in  G  for  all  times  less  than 
37  is  eventually  settled  to  by  some  component  in  G',  i.e.,  G'  computes  the  ideal  outputs  of  G  for  all  times 
less  than  37.  The  circuit  in  Figure  4  is  not  combinational,  in  a  strict  sense,  since  it  includes  latches  with 
clock  inputs.  Like  most  combinational  circuits,  however,  the  circuit  is  acyclic,  and  this  acyclicity  is  exploited 
by  our  timing  analysis. 
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Figure  4;  Illustration  of  computational  expansion  for  the  circuit  from  Figure  1.  Dark-shaded  path  represents  a  simple  delay 
constraint. 

For  simple  circuits  like  the  one  in  Figure  1,  a  computational  expansion  can  be  constructed  by  making 
a  copy  of  a  component  for  each  time  that  the  ideal  output  of  the  component  changes.  Consider  again  the 
circuit  G'  shown  in  Figure  4.  The  circuit  computes  the  ideal  outputs  of  the  components  of  G  in  Figure  1  for 
steps  —1  through  15.  In  addition,  it  also  computes  the  ideal  outputs  for  steps  -1  through  16,  since  the  fall 
of  <^2  at  time  36  cannot  cause  the  ideal  output  of  any  component  in  G  to  differ  between  steps  15  and  16. 
Observe  that  G'  does  not  compute  all  the  desired  ideal  outputs  for  steps  —1  through  17,  since  the  rise  of  4>i 
at  time  37  (not  shown)  can  cause  the  ideal  outputs  of  A  and  C  (in  G)  to  differ  between  steps  16  and  17, 
thus  implying  changes  in  the  ideal  outputs  of  A  and  C  which  are  not  “represented”  by  any  component  in  G'. 
A  computational  expansion  for  steps  -1  through  17  can  be  obtained,  however,  by  augmenting  G'  with  an 
additional  copy  A17  of  A,  and  an  additional  copy  C17  of  C.  The  final  output  values  of  Ai7  and  C17  can  be 
insured  to  equal  the  desired  ideal  output  values,  by  placing  edges  to  the  new  copies  from  the  “most  recent” 
copies  of  the  components  whose  outputs  are  inputs  to  A  and  C,  i.e.,  from  Bis  to  C17,  and  from  G17  to  i4i7. 
By  beginning  with  the  vertex-induced  subgraph  defined  by  the  components  associated  with  step  —1,  and 
inductively  repeating  the  construction  just  described,  a  computational  expansion  of  G  for  steps  —1  through 
n  can  be  constructed  for  any  nonnegative  n. 

Given  some  method  for  establishing  the  times  when  the  ideal  outputs  of  components  change,  the  con¬ 
struction  just  described  can  be  easily  formalized.  Let  I{v,  k)  denote  the  earliest  step  such  that  the  ideal 
output  of  a  component  v  is  constant  over  the  interval  {</(v,t),  ft+i),  i  e.,  the  most  recent  step  where  the 
ideal  output  of  the  component  changed.  For  any  component  v,  the  set  of  steps  {k  :  I{v,  k)  =  F}  contains 
exactly  one  step  for  ea>.*’  time  that  the  ideal  output  of  v  changes  value,  and  thus,  a  copy  v*  of  v  is  needed 
for  each  step  k  such  that  I{v,  k)  =  k.  By  subscripting  copies  of  components  with  steps  where  the  ideal 
outputs  of  the  original  components  changed,  the  edges  to  any  copy  vt  are  easily  constructed  by  noting  that 
the  “most  recent”  copy  U|  of  any  component  u  whose  output  is  an  input  to  v  must  be  such  that  /  =  I{u,  k). 
Consequently,  one  naive  way  to  construct  a  “computational  expansion”  Gcx  —  iYcx,  Ecx)  of  a  given  circuit 
G  =  {V,E)  would  be  to  let 

Vex  =  {v]c  .V  and  I{v,k)  =  *:} 

Ecx  =  {{ui,Vk)  :  {u,v)  £  E,  I(u,k)  =  I,  &nd  I{v,k)  =  k). 

If  the  clock  set  is  fully  synchronous,  then  Gcx  is  acyclic,  except  for  possibly  the  subcircuit  of  copies  associated 
with  step  —1.  Consequently,  if  every  latch  vt  such  that  k  ^  —  I  has  a  constant  High  clock,  and  every  latch 

t;_i  has  a  constant  clock,  whose  value  is  equal  to  the  clock  of  v  at  time  -00,  and  given  suitable  initialization, 

a  simple  inductive  argument  can  be  used  to  show  that  the  ideal  output  of  component  v  during  step  i  is 
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Figure  5:  A  circuit  demonstrating  the  inability  of  changes  in  ideal  output  to  capture  all  changes  in  component  outputs.  Detrkly 
shaded  regions  represent  intervals  of  time  when  component  outputs  are  undefined. 

eventually  output  by 

Unfortunately,  the  construction  based  on  changes  in  ideal  output,  does  not  necessarily  generate  a  copy 
of  a  component  for  each  component  transition.  The  problem  is  that  component  transitions  that  occur  in  the 
actual  circuit  may  disappear  when  the  circuit  is  idealized  with  delays  that  approach  zero.  Thus,  while  the 
construction  based  on  changes  in  ideal  output  would  always  generate  a  combinational  circuit  that  computes 
the  same  function  as  the  original  circuit,  it  would  not  always  generate  a  combinational  circuit  which  performs 
in  a  combinational  fashion  the  same  computation  as  the  original  circuit. 

Consider,  for  example,  the  simple  circuit  shown  in  Figure  5.  The  functional  element  ^4  is  a  simple  binary 
buffer,  while  the  functional  element  fl  is  a  binary  inverter.  The  subcircuit  composed  of  A,  B,  C,  and  D 
essentially  forms  an  unstable  inverter  ring,  and  consequently  the  outputs  of  all  four  of  these  components  are 
expected  to  flip  back-and-forth  between  logical  1  and  0.  Now,  due  to  the  large  amount  of  time  between  the 
fall  of  <j)2  and  the  next  rise  of  4>i,  the  output  of  B  is  guaranteed  to  be  stable  when  <i>\  rises,  and  thus  the 
output  of  C  flips  cleanly  between  1  and  0,  as  shown.  Even  when  the  output  of  C  flips  cleanly,  however,  the 
delay  of  A  is  sufficiently  long  to  cause  A  to  output  an  undefined  value  while  the  clock  to  D  is  High.  In  fact, 
the  output  of  A,  and  subsequently  the  output  of  D,  does  not  become  defined  until  the  exact  moment  when 
<t>2  falls.  (Fortunately,  this  is  sufficient  to  insure  a  properly  latched  value  for  our  models.)  Now,  since  the 
output  of  D  does  not  become  stable  until  the  fall  of  ^2.  the  output  of  component  B  does  not  become  stable 
until  two  time  units  later,  and  consequently  latch  E  outputs  an  undefined  value,  as  shown,  for  one  time  unit 
after  each  rise  of  ^3.  Observe,  however,  that  if  the  delay  of  B  were  less  than  1,  the  output  of  E  would  be 
constant  at  1  for  all  time  greater  than  16.  Clearly,  for  this  circuit,  the  ideal  output  of  E  is  constant  for  all 
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time  greater  than  or  equal  to  16,  despite  the  fact  that  the  actual  output  of  E  destabilizes  after  each  rise 
of  03,  Consequently,  a  construction  based  on  changes  in  ideal  output  is  not  guaranteed  to  capture  every 
transition  that  occurs  during  the  computation  of  a  given  circuit. 

To  facilitate  the  handling  of  difficulties  like  the  one  demonstrated  in  Figure  5,  it  is  convenient  to  formalize 
the  notion  of  a  “potential”  component  transition.  Our  definition  of  what  constitutes  such  a  transition  is 
based  on  the  behavior  of  a  circuit  whose  clocks  “stop”  during  the  step.  Formally,  given  a  circuit  G  and 

the  approximation  of  G  is  the  circuit  G*  that  is  identical  to  G,  but  clocked  by  where  the  clocks 
in  are  equal  to  the  clocks  in  $  over  the  interval  [— oo,<jn.i)  but  are  constant  for  all  time  greater  than  or 
equal  to  G  +  i,  with  the  values  they  held  during  step  k.  The  function  B'{v,  k)  denotes  the  earliest  step  i  such 
that  over  the  interval  [-00,00]  the  output  of  vertex  v  in  G’  is  equal  to  the  output  of  i;  in  G*.  The  minimal 
computational  expansion  for  a  circuit  G  =  (V^,  £”)  is  the  circuit  G^y  =  ^cx)  where 

=  {vf.veV  and  B‘{v,  k)  =  k) 

^cx  =  {{ui,Vk)  :  {u,v)  e  E,  B'(u,k)  =  I,  a.nd  B’‘{v,k)  =  k} 

Intuitively,  the  minimal  computational  expansion  contains  a  copy  of  a  component  r  for  each  step  where 
either  the  ideal  output  of  v  changes  or  a  glitch  occurs  in  the  actual  output  of  v,  i.e.,  for  each  step  where 
the  output  of  V  either  was  intended  to  change  or  does  change.  Edges  insure  that  each  copy  of  v  receives  the 
correct  inputs  for  any  particular  step.  For  the  sake  of  clarity,  we  adopt  the  convention  that  components  in 
V  are  denoted  with  unsubscripted  lowercase  letters  such  as  “u”  or  “u”,  while  nodes  in  Vex  are  denoted  with 
subscripted  lowercase  letters  such  as  “u*”  or  In  addition,  a  node  denoted  with  “t;*”  is  assumed  to  be 

a  copy  of  component  u  €  V'  that  exists  because  B'{v,k)  =  k.  Such  a  node  is  said  to  be  in  the  ifcth  level  of 
Gc.y  Every  latch  n*  such  that  t  ^  —  I  has  a  constant  High  clock.  Every  latch  t;_i  has  a  constant  clock, 
whose  value  is  equal  to  the  clock  of  v  at  time  —00.  Latches  whose  clocks  are  Low  at  time  —00  are  initialized 
so  that  they  have  the  same  cutp  Jts  as  the  corresponding  latches  in  G.  The  first  19  levels  of  the  minimal 
computational  expansion  for  the  circuit  from  Figure  5  is  shown  in  Figure  6.  The  darkly  shaded  node  would 
not  be  in  the  expansion  if  components  were  only  copied  when  their  ideal  output  changed. 

Unfortunately,  it  is  unlikely  that  polynomial-time  timing  verification  algorithms  can  be  based  on  the 
minimal  computational  expansion.  The  difficulty  is  with  the  reliance  of  the  definition  of  B*  on  the  actual 
output  of  a  component.  Consider,  for  example,  the  circuit  in  Figure  5,  and  suppose  that  all  we  wished 
to  determine  was  whether  B'(A,l)  =  1.  For  the  initial  conditions  shown,  B’(A,  1)  is  obviously  1,  since 
the  output  of  G  is  initially  0  while  the  output  of  component  B  is  initially  1.  Observe,  however,  that  if 
the  output  of  C  were  instead  initially  1,  then  B(j4,  1)  would  be  equal  to  —1.  Thus,  if  we  w>sh  to  verify 
the  timing  of  a  circuit  for  all  possible  initial  conditions,  many  different  minimal  computation,*,  expansions 
may  need  to  be  considered,  possibly  exponentially  many.  In  addition,  for  some  circuits,  particularly  those 
containing  “counters,”  changes  in  the  output  of  a  particular  component  may  manifest  themselves  only  after  an 
exponential  number  of  steps  have  passed.  Unfortunately,  both  these  difficulties  are  likely  to  be  fundamental, 
since  a  reduction  from  boolean  satisfiability  [7]  shows  that  timing  verification  is  an  NP-hard  problem  in 
general. 

3.1  Base  Step  Functions 

The  key  to  using  computational  expansion  for  efficient  timing  analysis  is  to  use  approximations  to  G^y 
that  are  “pessimistic”  about  when  the  outputs  of  components  change  value.  Consider  the  circuit  shown  in 
Figure  7.  The  circuit  is  identical  to  the  circuit  in  Figure  5,  except  that  component  A  is  now  an  inverter. 
The  subcircuit  composed  of  A,  B,  C,  and  D  now  forms  a  stable  inverter  ring,  and  consequently  the  minimal 
computational  expansion  of  the  circuit  is  as  shown  in  Figure  8.  Observe,  however,  that  if  all  the  buffers  in  the 
expansion  from  Figure  6  were  replaced  with  inverters,  the  resulting  expansion  would,  in  a  sense,  approximate 
the  expansion  from  Figure  8.  Specifically,  there  exists  (in  the  expansion)  a  copy  of  a  component  for  each 
transition  of  the  component.  The  expansion  is  only  an  approximation  because  the  converse  is  not  true,  i.e.. 
an  actual  or  intended  change  in  output  does  not  exist  for  each  copy  in  the  expansion.  As  will  be  shown 
in  Sections  4  and  6,  timing  verification  based  on  such  approximations  will  never  fail  to  identify  a  circuit 
which  does  not  operate  properly.  The  key  to  efficient  timing  verification,  is  that  there  exist  expansions  that 
are  “easy”  to  generate,  yet  approximate  the  minimal  computational  expansion  regardless  of  what  either  the 
initial  conditions  or  functions  computed  by  components  might  be. 

Approximations  to  the  minimad  computational  expansion  are  specified  using  a  “base  step  function."  A 
base  step  of  component  v  at  step  k  is  any  step  i  such  that  the  output  of  vertex  v  in  the  approximation  G'  is 
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Figure  6:  The  minimal  computational  expansion  for  the  circuit  from  Figure  5.  Darkly  shaded  node  would  not  be  present  in 
an  expansion  generated  using  changes  in  ideal  output. 

equal  to  the  output  of  v  in  the  approximation  G*  over  the  interval  [—00,00].  Given  some  base-step  function, 
B,  which  maps  each  component-step  pair  to  a  base  step,  a  computational  expansion  of  a  circuit  G  =  (V^,  £') 
is  defined  to  be  a  graph  Gcx  =  (Vex,  Eex)  where 

Vex  =  {i^Jt  ;  €  V"  and  B(v,k)  =  Ar} 

Eex  =  {{ui,Vk)  :  {u,v)  e  E,  B(u,k)  =  I,  and  B{v,k)  =  k} 

As  before,  every  latch  Vh  such  that  k  ^  —  I  has  a  constant  High  clock,  while  every  latch  t;_i  has  a  constant 
clock,  whose  value  is  equal  to  the  clock  of  v  at  time  —00.  In  addition,  latches  whose  clocks  are  Low  at  ti;ne 
—00  are  initialized  so  that  they  have  the  same  outputs  as  the  corresponding  latches  in  G.  As  in  the  minimal 
computational  expansion,  a  node  denoted  with  “ufc”  is  assumed  to  be  a  copy  of  component  u  e  V  that  exists 
because  B{v,  k)  =  k.  Observe,  that  the  definition  of  Gcx  differs  from  the  definition  of  ^cx  only  in  that 
copies  of  components  might  be  made  for  any  step  that  meets  the  specified  conditions,  rather  than  just  the 
earliest  step. 

Intuitively,  base  step  functions  are  a  convenient  way  to  encapsulate  the  assumptions  about  “when  things 
change”  in  a  given  circuit.  The  adoption  of  such  assumptions  is  natural  whenever  a  detailed  simulation, 
like  that  which  may  be  needed  to  generate  the  minimal  computational  expansion,  is  considered  impractical. 
Indeed,  as  noted  earlier,  a  reduction  from  boolean  satisfiability  [7]  shows  that  timing  verifications  is  an  NP- 
hard  problem  in  general,  and  thus,  indicates  that  such  assumptions  are  likely  to  be  necessary  if  the  timings 
of  arbitrary  circuits  are  to  be  verified  within  an  amount  of  time  which  is  polynomial  in  their  size.  Most  of 
our  results  are  generic  in  the  sense  that  they  can  be  applied  whenever  a  set  of  assumptions  can  be  specified 
as  a  suitable  base  step  function. 

3.2  Expanding  Base  Step  Functions 

To  apply  the  timing  analysis  of  Section  4,  a  computational  expansion  Gcx  must  have  three  important 
properties.  First,  every  cycle  in  Gcx  must  be  broken  by  some  latch  whose  clock  is  Low.  Second,  if  step  •'  is 
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Figure  7;  A  circuit  whose  minimal  computational  expansion  can  be  approximated  by  replacing  buffers  with  inverters  in  the 
computational  expansion  shown  in  Figure  6.  The  minimal  computational  expansion  of  the  circuit  is  shown  in  Figure  8. 

the  base  step  specified  for  the  component-step  pair  (v,  k),  then  the  node  Vi  must  compute  the  ideal  output 
of  component  v  in  G  during  step  k  of  <5.  Third,  for  every  edge  (v*,  U()  in  Gcx>  we  have  k  <  I,  i.e.,  edges 
never  go  from  one  level  of  the  expansion  to  a  lower  level  of  the  expansion.  Any  base  step  function  that 
is  guaranteed  to  generate  computational  expansions  with  these  properties  is  said  to  be  an  expanding  base 
step  function.  Most  base  step  functions  of  interest  can  be  shown  to  be  expanding  base  step  functions,  using 
arguments  similar  to  those  used  to  prove  tn..  following  lemma. 

Lemma  3.1  For  any  circuit  G  =  {V,E)  and  fully  synchronous  clock  set  there  exists  an  expanding  base 
step  function. 

Proof:  (sketch)  Proof  of  the  lemma  is  by  construction,  and  makes  use  of  two  orderings  based  on  the  clocks 
in  $.  The  first  is  a  derived  partial  ordering  on  the  components  in  G,  while  the  second  is  the  natural  total 
ordering  that  exists  on  the  steps  of  <t. 

A  base  step  function  B  which  satisfies  the  lemma  can  be  defined  as  follows.  For  any  latch  v  whose  clock 
is  Low  during  step  k,  let  step  i  be  the  least  step  such  that  the  clock  of  v  is  Low  during  all  steps  greater 
than  i  and  less  than  or  equal  to  k,  i.e.,  the  clock  of  v  is  Low  over  the  entire  interval  (f|+i,<t+i).  The 
function  B  maps  {v,k)  to  step  i  when  u  is  a  latch  whose  clock  is  Low  during  step  k,  and  maps  {v,k)  to 
step  k  otherwise.  The  computational  expansion  that  results  from  B  contains  no  cycles  that  are  unbroken 
by  a  latch  whose  clock  is  Low,  since  the  synchronous  nature  of  G  prevents  any  such  cycles  within  the  -1** 
level  of  the  computational  expansion,  and  guarantees  that  the  rest  of  the  computational  expansion  is  in  fact 
acyclic. 
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Figure  8;  The  minim&l  computational  exptmsion  for  the  circuit  from  Figure  7.  The  expansion  can  be  approximated  by 
replacing  buffers  with  inverters  in  the  computational  expansion  shown  in  Figure  6. 


To  define  the  derived  partial  ordering  that  is  used  to  prove  that  B  is  a  base-step  function,  consider  the 
circuit  Gk  =  (V,  Ek),  where  {v,  u)  €  Ek  if  and  only  if  (v,  v)  &  E  and  u  is  not  a  latch  whose  clock  input  has 
value  Low  during  step  k.  Since  $  is  fully  synchronous,  the  circuit  Gk  must  be  acyclic,  and  thus  the  edges  in 
Gk  define  a  partial  order  on  the  components  in  V.  The  defined  partial  order  is  the  tth  configuration  order, 
where  a  component  t;  is  before  a  component  u  if  and  only  if  there  exists  a  path  from  v  to  u  in  Gt-  If  we 
assume  that  all  functional  elements  have  at  least  one  input, ^  then  latches  whose  clocks  are  Low  during  step 
k  are  the  only  comoonents  which  do  not  have  some  other  component  before  them  in  the  kih  configuration 
order.  In  addition,  since  Gk  is  acyclic,  if  any  component  in  V  has  a  given  property,  then  there  must  exist 
some  component  with  the  property,  that  is  first  in  the  sense  that  no  other  components  with  the  property 
are  before  it  in  the  ibth  configuration  order.  By  showing  that  no  such  first  component  can  exist,  the  fcth 
configuration  order  can  be  used  to  establish  that  no  component  has  a  given  property. 

An  inductive  argument  can  be  used  to  show  that  B  computes  base  steps.  First,  we  hypothesize  inductively 
that  B  computes  base  steps  for  all  steps  less  than  or  equal  to  k  and  then  use  the  {k  +  l)st  configuration 
order  to  show  that  B  computes  base  steps  for  step  k  +  \.  Since  the  hypothesis  is  obviously  true  for  fc  =  —  1, 
the  function  B  must,  by  induction,  compute  base  steps  for  all  component-step  pairs. 

The  proof  that  B  is  an  expanding  base  step  function  is  analogous  to  the  proof  that  B  computes  base 
steps.  By  using  configuration  orders  to  induct  on  steps,  each  of  the  three  properties  of  expanding  base  step 
functions  can  be  shown  for  B.  | 

It  is  important  to  realize  that  the  models  from  Section  2  are  assumed  throughout  this  paper.  This 
assumption  implies  many  “natural”  properties  which  are  not  stated  explicitly.  For  example.  Equations  1 
and  2  guarantee  that  the  outputs  of  components  change  only  in  response  to  a  change  in  some  input,  and  mast 
become  constant  after  some  appropriate  delay.  Without  properties  such  as  these,  the  proof  of  Lemma  3.1 
would  not  be  valid,  and  the  timing  constraints  to  be  presented  in  Section  4  would  be  of  limited  use. 

'  Given  the  form  of  Eiqu&tion  1,  any  functional  element  with  no  inputs  would  have  a  constant  output  value.  Consequently, 
such  a  functional  element  could  be  deleted  from  the  circuit,  as  long  as  components  that  used  the  output  of  the  deleted  functional 
element  were  suitably  modified. 
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Figure  9:  Illustration  of  delay  constraints  for  the  circuit  from  Figure  1. 


4  Timing  Constraints 

In  this  section,  we  define  a  set  of  constraints  which  can  serve  as  a  set  of  sufficient  conditions  for  proper 
circuit  operation.  Despite  its  infinite  size,  the  set  of  constraint  equations  is  important,  since  it  can  be  used 
to  guarantee  proper  circuit  operation,  handling  even  unconventional  circuit  >.  In  Sections  5  and  6,  methods 
are  presented  that  can  check  the  infinite  number  of  constraints  quickly. 

A  computational  expansion  of  a  circuit  provides  a  framework  for  examining  the  delay  constraints  described 
in  Section  1.  Consider  again  the  computational  expansion  shown  in  Figure  4.  Each  node  in  the  computational 
expansion  corresponds  to  an  output  value  change  in  the  circuit  in  Figure  1.  For  example,  Ci  exists  in  the 
computational  expansion,  because  a  new  value  propagates  to  the  output  of  C  when  <t)\  changes  value  to 
High  at  time  ti.  This  change  in  the  output  of  C  implies  subsequent  changes  in  the  outputs  of  A  and  D, 
and  these  changes  are  reflected  by  the  existence  of  Ai  and  Da  in  the  computational  expansion.  The  output 
of  Da  eventually  settles  to  the  ideal  output  of  A,  over  the  interval  [fi.fs),  that  must  be  latched  by  D  at 
time  <4.  Consequently,  the  delay  of  A  must  be  less  than  or  equal  to  the  difference  between  <4  and  <i  if  D 
is  to  hold  its  ideal  output  over  the  interval  This  delay  constraint  of  <4  -  >  d,4  is  represented  by 

the  dark-shaded  path  shown  in  Figure  4.  Using  reasoning  similar  to  the  above,  all  the  constraints  listed  in 
Figure  9  (and  many  others)  can  be  obtained. 

The  delay  constraints  for  a  circuit  G  =  {V,E)  can  be  specified  formally,  using  an  expanding  base  step 
function  B  and  the  computational  expansion  Gcx  =  iVcx>Ecx)  generated  using  B.  Let  t;  €  U  be  any 
latch  whose  clock  changes  value  from  High  during  step  —  1  to  Low  during  step  k.  If  B{v,  k  -  1)  =  i,  then 
the  ideal  output  of  v  over  the  interval  {tkJk+i)  is  the  value  computed  by  Vi  G  Vex-  Thus,  at  time  f*,  v 
must  latch  the  value  computed  by  n,.  We  indicate  this  fact  by  associating  with  v,  a  down-time  of  t*.  In  a 
symmetric  fashion,  let  u  be  any  latch  where  B{u,j)  =  j.  Either  the  ideal  output  of  u  changes  at  time  tj  to 
the  value  computed  by  Uj ,  or  the  output  of  u  may  experience  some  type  of  temporary  “glitch.”  We  indicate 
this  by  associating  with  Uj  an  up-time  of  tj .  The  set  A(G,  B)  of  timing  constraints  is  defined  as  follows: 

A(G,  B)  =  {/*  —  tj  >  d((r)  :  Vi  has  down-time  t^,  Uj  has  up-time  tj,  and 

is  a  path  in  Gcx  from  uj  to  v,  }, 

where  d(<T)  equals  the  total  propagation  delay  of  ail  nodes  in  the  path  <t.  By  convention,  a  path  from  Uj 
to  Uj  includes  the  nodes  Uj  and  r,  ,  and  thus  we  on  occasion  use  d(v,  )  to  denote  the  propagation  delay  of  a 
single  node  t;,-.  Observe  that  for  periodic  clock  sets,  the  infinite  size  of  Gcx  implies  that  A(G,  B)  contains 
an  infinite  number  of  constraints.  We  call  each  constraint  in  A(G,  B)  a  A-constraint. 

Although  the  constraint  set  A(G,  B)  is  problematic  due  to  its  infinite  size,  it  is  the  only  set  of  constraints 
that  we  need  to  consider.  The  “scheduling”  constraints  mentioned  in  Section  1  can  be  ignored,  since  they 
do  not  imply  any  constraints  that  are  not  included  in  A(G,  B).  The  following  theorem  confirms  this  fact. 

Theorem  4.1  If  all  the  constraints  in  A(G,  B)  are  met,  then  G  operates  properly. 

Proof:  The  proof  has  two  parts.  The  first  part  shows  that  if  the  constraints  in  A(G,  B)  are  met,  then 
replacing  the  constant  clocks  of  Gcx  with  a  simple  clock  set  based  on  does  not  change  the  final  outputs 
of  any  nodes  in  Gcx-  Since  the  base  step  function  used  to  generate  Gcx  is  assumed  to  be  expanding,  this 
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is  equivalent  to  showing  that  latches  in  Gcx  latch  the  appropriate  ideal  outputs  of  latches  in  G,  when  Gcx 
is  clocked  with  the  new  clock  set.  The  second  part  of  the  proof  shows  that  at  any  step  k  it  is  possible  to 
replace  the  the  first  k  levels  of  Gcx  with  the  approximation  G*'  without  altering  the  values  latched  by  the 
remaining  nodes  in  Gcx-  This  is  sufficient  to  prove  the  theorem,  since  if  latches  in  G  did  not  hold  their 
correct  ideal  outputs  at  step  k,  then  G*  would  input  the  wrong  values  into  the  remaining  nodes  of  Gcx,  and 
the  replacement  would  not  be  possible. 

PART  1;  Let  Gcx  be  clocked  by  a  new  clock  set  ^simple  that  associates  with  each  latch  e*  the  clock 
where  is  defined  as  follows:  if  e*  has  up-time  <jt  but  no  down-time,  then  is  Low  for  all  time  less 
than  and  High  for  all  time  greater  than  or  equal  to  <*.  Similarly,  if  has  down-time  vi  but  no  up-time, 
then  is  High  for  all  time  less  than  or  equal  to  U  and  Low  for  all  time  greater  than  <|.  Finally,  if 
has  up-time  ft  and  down-time  <(,  then  0^^  is  High  during  the  interval  and  Low  otherwise.  All  other 

nodes  use  clocks  identical  to  those  in  the  original  clock  set  of  Gcx-  Nodes  whose  clocks  were  previously 
High  for  all  time,  but  whose  clocks  in  ^simple  initially  have  value  Low,  are  initialized  to  output  J..  We 
essentially  need  to  show  that  all  latches  in  Gcx  latch  the  appropriate  ideal  outputs  of  latches  in  G. 

If  some  latch  in  Gcx  does  not  latch  the  appropriate  ideal  output,  then  it  is  possible  to  identify  a  set 
of  node-time  pairs  tnat  are,  in  some  sense,  responsible  for  the  failure.  Let  vk  be  a  level-clocked  latch  with 
down-time  <(.  If  the  output  of  d*  at  time  t/  is  not  the  appropriate  ideal  output,  then  the  input  to  Vk  must 
not  have  been  the  appropriate  ideal  output  at  time  </.  Similarly,  if  the  input  to  Vk  is  the  output  of  some 
functional  element  Uj,  then  the  output  of  some  input  to  uj  must  not  have  been  the  appropriate  ideal  output 
at  time  </  minus  the  propagation  delay  d(uj)  of  uj.  If  Wi  is  the  node  in  question,  whose  output  is  the  input  of 
Uj,  then  the  node-time  pairs  (vk,ti),  (uj,t()  and  —  d{uj))  are  late  pairs  that  prevent  Vk  from  latching 

the  appropriate  ideal  output.  Continuing  in  this  fashion,  we  can  identify  the  set  of  all  late  pairs  for  Vk-  A 
late  pair  {wi,tk)  is  before  another  late  pair  (uj,<()  if  Gcx  contains  a  path  from  tu,  to  Uj. 

Now,  if  there  exist  latches  in  Gcx  that  do  not  latch  the  appropriate  ideal  outputs,  then  we  can  identify  at 
least  one  late  pair  that  is  an  “unprovoked”  late  pair.  Let  v*  be  any  latch  that  does  not  latch  the  appropriate 
ideal  output  and  whose  set  of  late  pairs  does  not  contain  any  other  latches  that  do  not  latch  their  appropriate 
ideal  outputs.  Since  all  cycles  in  Gcx  must  be  broken  by  at  least  one  latch  whose  clock  is  always  Low,  and 
Gcx  bas  only  a  finite  number  of  nodes  in  its  first  /  levels,  for  any  /  >  —  1,  an  induction  on  the  structure  of 
Gcx  can  be  used  to  show  that  such  a  Vk  must  exist.  Similarly,  an  inductive  argument  can  also  be  used  to 
show  that  the  set  of  late  pairs  for  Vk  must  contain  at  least  one  unprovoked  late  pair  that  has  no  late  pairs 
before  it. 

If,  however,  the  constraints  in  A(G,  B)  are  met,  then  no  unprovoked  late  pair  can  exist,  as  we  now  show. 
Assume  that  there  exists  an  unprovoked  late  pair  {uj,t)  for  Vk,  where  r*  has  down-time  </,  utdoes  not  latch 
the  appropriate  ideal  output,  and  the  set  of  late  pairs  for  Vk  does  not  contain  any  other  latches  that  do  not 
latch  the  appropriate  ideal  outputs.  Node  Uj  must  be  either  a  functional  element,  a  latch  whose  clock  signal 
is  Low  for  all  time,  or  a  latch  whose  clock  signal  is  High  over  some  interval  of  time.  Now,  Uj  cannot  be  a 
functional  element,  since  some  node  whose  output  is  an  input  to  Uj  would  be  part  of  a  late  pair  that  was 
before  (uj,  <).  Also,  uj  cannot  be  a  latch  whose  clock  ,nal  is  Low  for  all  time,  since  this  would  imply  that 
Gcx  was  not  properly  initialized.  Finally,  the  fact  that  all  constraints  in  A(G,  B)  are  met,  implies  that  Uj 
cannot  be  a  latch  whose  clock  is  High  over  some  interval  of  time.  Consider  the  most  complex  case  of  the 
clock  signal  being  High  over  some  closed  interval  where  ^  -oo.  The  time  t  cannot  be  greater 

than  tn,  since  this  would  violate  our  definition  of  Vk  by  implying  that  Uj  did  not  latch  the  appropriate  ideal 
output.  In  addition,  t  cannot  be  less  than  tm.  since  this  would  imply  that  t/  —  tm  <  d{a),  for  some  path 
(T  from  Uj  to  Vk,  and  thus  that  some  A(G,  B)  constraint  was  violated.  Consequently,  the  clock  of  Uj  must 
be  High  at  time  t,  and  thus  Uj  cannot  be  a  latch  whose  clock  is  High  over  some  interval  of  time,  since  the 
component  whose  output  is  the  input  to  Uj  would  be  part  of  a  late  pair  that  was  before  (uj,  t). 

Thus,  since  no  unprovoked  late  pair  can  exist  when  all  constraint  in  A(G,  B)  are  met,  all  latches  in  Gcx 
clocked  with  ^simpu  must  latch  the  appropriate  ideal  outputs  whenever  all  constraints  in  A(G,  B)  are  met. 

PART  2:  This  part  of  the  proof  makes  direct  use  of  the  t**’  approximation  of  G.  The  outputs  of  components 
in  G*  are  certainly  equal  to  the  outputs  of  components  in  G  over  the  interval  [— oo,  tt+i),  and  thus,  the  final 
values  latched  by  latches  in  G*  are  equal  to  the  values  latched  during  step  k  by  the  corresponding  latches  in 
G.  We  need  to  show  that  for  any  k  >  —  1 ,  we  can  replace  the  nodes  in  levels  —  1  through  k  with  G* ,  without 
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affecting  the  values  latched  by  the  remaining  nodes  of  Gcx- 

If  a  component  t;_i  in  level  —1  of  Gcx  were  removed  and  all  edged  from  t;_i  were  replaced  with  edges 
from  the  copy  of  v  in  G“',  then  all  remaining  components  in  Gcx  would  still  operate  as  before.  To  see  this, 
simply  observe  that  and  level  —1  of  Gcx  are  essentially  identical,  since  they  are  are  clocked  by  identical 
clock  sets. 

We  now  complete  the  proof  by  showing  that  if  for  all  —1  <  j  <  k,  the  nodes  in  levels  —1  through  i  of  Gcx 
can  be  replaced  with  G' ,  then  the  nodes  in  levels  —1  through  (it+  1)  of  Gcx  can  be  replaced  with  G*"*"'  We 
use  two  steps  to  show  that  the  replacement  works  for  level  (k  +  1).  First,  we  show  that  replacing  the  first 
k  levels  of  Gcx  with  G*"*"’  also  does  not  affect  whether  the  remaining  nodes  in  Gcx  latch  the  appropriate 
ideal  outputs.  Second,  we  show  that  edges  from  nodes  in  level  (ib  +  1)  of  the  Gc.v  can  then  be  replaced  with 
edges  from  the  components  in  while  still  not  affecting  the  values  latched  by  the  remaining  nodes  in 

Gcx- 

We  can  replace  G*  with  G*"*"'  if  the  output  of  component  v  in  G*  is  equal  to  the  output  of  i;  in 
whenever  B(v,k  +  1)  ^  /b  +  1.  By  the  definition  of  “base-step,"  however,  the  output  of  v  in  G*  must  be 
equal  to  the  output  of  v  in  G*"*"*  whenever  B{v,k  -I-  1)  ^  lb  -f-  1.  The  outputs  of  components  i>  such  that 
B{v,  fc  -b  1)  =  fc  -t-  I  are  of  no  consequence,  since  exists  in  Gcx.  and  thus  there  are  no  edges  between  d 
in  G*  and  the  rest  of  Gcx- 

To  show  that  edges  from  nodes  in  level  (t  -t-  1)  of  Gcx  can  be  replaced  with  edges  from  components 
in  G*'*'^  we  use  an  argument  similar  to  that  used  in  Lemma  3.1.  We  need  to  show  that  there  can  be 
no  component  v  that  is  the  first  in  the  (k  +  l)st  configuration  order  to  be  such  that  the  edges  from  node 
m+i  cannot  be  replaced  with  edges  from  component  v  in  G*''*'*.  No  functional  element  can  be  such  a  first 
component,  since  the  outputs  of  v  and  Ui+i  are  identical.  To  see  this,  simply  observe  that  v  being  first  in 
the  {k+  l)st  configuration  order  implies  that  all  edges  to  vt+i  can  be  replaced  with  edges  from  components 
in  G'"'"^  A  more  intricate  argument  also  shows  that  a  latch  whose  clock  is  High  during  step  k  -t-  1  cannot 
be  such  a  first  component.  If  the  clock  of  v  is  High  for  all  time,  then  the  clock  of  vt+i  must  also  be  High 
for  all  time,  and  the  outputs  of  v  and  t)*+i  must  once  again  be  identical.  If  the  clock  of  r  is  not  High  for 
all  time,  then  let  t,  be  the  time  that  the  clock  last  changed  value  from  Low  to  High.  Before  time  the 
output  of  vt+i  must  be  ±  and  consequently  the  output  of  ut+i  is  of  no  consequence  before  .  Thus,  since 
the  outputs  of  V  and  are  certainly  identical  for  all  time  greater  than  or  equal  to  t*,  we  can  replace 
edges  from  t)jb+i  with  edges  from  v,  without  affecting  the  remaining  nodes  in  Gcx-  Finally,  by  combining 
the  argument  for  latches  whose  clocks  are  High  during  step  k  +  1  with  the  fact  that  a  latch  rt+i  latches 
the  appropriate  ideal  output  when  nodes  in  earlier  levels  are  replaced  by  C*,  it  can  be  shown  that  a  latch 
whose  clock  is  Low  during  step  k  ■+■  1  also  cannot  be  such  a  first  component.  | 

Now  that  the  set  of  A-constraints  has  been  defined,  it  is  possible  to  appreciate  why  certain  “natural” 
functions  are  not  sufficiently  general  for  our  purposes.  For  example,  the  function  /  would  initially  seem 
to  be  a  reasonable  basis  for  the  construction  of  a  computational  expansion,  but  as  illustrated  in  Figure  6, 
there  exist  circuits  for  which  the  function  /  can  result  in  expansions  which  are  missing  potentially  important 
nodes.  Without  these  nodes,  the  set  of  A-constraints  define  by  the  expansion  would  be  incomplete. 

Similarly,  functions  that  only  consider  changes  in  the  value  output  by  a  component  are  also  not  sufficiently 
general  to  handle  all  circuits.  For  example,  consider  the  function  B^  that  maps  a  component-step  pair  (r,  it) 
to  the  earliest  step  i  such  that  during  the  interval  the  ideal  output  of  v  is  constant,  and  v  never 

destabilizes,  i.e.,  the  earliest  step  i  such  that  the  output  of  v  is  “settling”  over  the  interval  While 

for  many  level-clocked  circuits,  B^  is  likely  to  be  a  base-step  function,  there  do  exist  circuits  for  which  B^  is 
not  sufficiently  general.  To  see  this,  consider  the  circuit  fragment  shown  in  Figure  10.  The  functional  element 
A  is  a  binary  OR-gate  whose  propagation  delay  is  4.  The  first  thing  to  note  about  the  fragment  is  that  the 
destabilization  of  A  at  time  1  does  not  correspond  to  a  change  in  ideal  output.  It  is  thus  apparent  that  the 
shown  waveforms  reflect  an  assumption  that  the  output  of  A  “glitches”  each  time  that  one  of  the  inputs  to 
A  changes  value.  Since  many  implementations  of  an  OR-gate  do  not  have  this  property,  the  example  is  not 
particularly  realistic.  Nevertheless,  the  fragment  serves  its  intended  illustrative  purpose.  A  consequence  of 
the  “glitch”  property,  is  that  the  output  of  A  does  not  stabilize  until  one  propagation  delay  after  the  rising 
edge  of  </>2  at  time  13,  and  thus,  the  output  of  A  in  invalid  over  the  entire  interval  [10, 17].  Observe,  that 
this  interval  is  3  time  units  longer  than  the  propagation  delay  of  A.  The  extreme  length  of  the  interval  is 
due  to  the  fact  that  two  “invalid”  intervals  of  length  4  are  overlapping.  Unfortunately,  B^  does  not  yield  an 
expansion  which  reflects  the  length  of  the  interval.  If  one  applies  the  various  definitions,  one  finds  that  the 
minimal  computational  expansion  of  the  fragment  is  the  “circuit”  shown  in  Figure  11.  An  expansion  based 
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Figure  10;  A  circuit  demonstrating  the  inability  of  “settling”  to  capture  all  computations  by  component.  The  minimal 
computational  expansion  of  the  circuit  is  shown  in  Figure  1 1 . 


on  ,  however,  would  not  include  the  darkly  shaded  nodes,  since,  for  example,  the  output  of  A  is  settling 
over  the  interval  [10, 19],  and  the  ideal  output  of  A  is  constant  over  that  interval,  as  well. 

Given  the  amount  of  “mechanism”  needed  to  define  the  set  of  A-constraints,  it  is  natural  to  ask  whether 
the  complexity  is  justified.  There  are  two  primary  benefits  of  defining  the  set  of  A-constraints  in  terms  of 
a  computational  expansion  and  a  base-step  function.  First,  the  base-step  function  provides  a  mechanism 
for  tailoring  the  set  of  A-constraints  to  the  peculiarities  of  a  particular  circuit.  For  example,  one  could 
define  a  base-step  function  which  reflected  the  behavior  of  stable  feedback  loops,  or  multiplexors.  Second, 
the  definition  of  what  constitutes  a  base-step  function  provides  a  precise  criterion  for  what  properties  the 
user  is  guaranteeing  when  he  specifies  a  “customized”  base-step  function.  Moreover,  the  following  theorem 
essentially  states  that  the  required  properties  are  precisely  the  ones  that  ate  needed  for  accurate  timing 
verification. 

Theorem  4.2  For  any  externally  synchronized  circuit  G,  if  some  constraint  in  A(G,B*)  is  not  satisfied, 
then  G  is  not  properly  timed. 

Proof:  (sketch)  Proof  of  the  theorem  follows  the  same  basic  outline  as  the  proof  of  Theorem  4.1.  Here, 
however,  the  existence  of  a  violated  A-constraint  immediately  implies  that  some  latch  in  Gcx  must  latch  X 
if  Gcx  is  clocked  by  ^simpu-  The  second  step  of  the  proof  shows  that  if  some  latch  in  Gcx  latches  X,  then 
some  latch  in  G  must  also  latch  X,  and  thus  that  G  is  not  properly  timed. 

An  argument  similar  to  one  used  to  prove  Lemma  3.1  can  used  to  prove  that  if  some  latch  in  Gcx  latches 
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Figure  11:  The  minimal  computational  expansion  of  the  circuit  shown  in  Figure  10.  The  darkly  shaded  nodes  would  not  be 
present  in  a  expansion  based  on 


±,  then  some  latch  in  G  must  also  latch  X.  Let  P  be  the  following  predicate: 

True  if  there  exist  t'  <  t  such  that,  at  time  t', 

the  output  of  V  is  not  equal  to  the  output  of 
Vi,  where  t  is  the  base  step  for  v  and 
the  step  containing  t' 

False  otherwise. 

If  V  is  False  for  all  vertex-time  pairs,  then  the  output  of  any  vertex  v  during  step  i  must  be  equal  to  the 
output  of  node  in  the  computational  expansion,  over  the  interval  (t|, Thus,  if  V  is  always 

False,  then  some  latch  in  the  original  circuit  must  latch  X,  whenever  some  latch  the  minimal  computational 
expansion  latches  X.  The  proof  that  V  is  False  for  all  vertex-time  pairs  parallels  the  argument  used 
in  Lemma  3.1.  As  in  the  proof  of  Lemma  3.1,  the  goal  is  to  use  the  natural  ordering  of  steps  and  the 
configuration  orderings  of  vertices  to  identify  the  “first”  vertex-time  pair  for  which  V  is  False.  A  case 
analysis  can  be  used  to  show  that  no  such  vertex-time  pair  can  exist.  | 

5  Practical  Timing  Analysis 

In  this  section,  we  begin  the  process  of  adapting  the  constraint  set  A  for  use  in  timing  verification  algorithms. 
First,  we  examine  the  implications  of  different  possible  base  step  functions,  and  present  a  base  step  function 
B  which  yields  constraints  that  are  less  pessimistic  than  the  constraints  used  by  previous  timing  verification 
algorithms  [1,  4,  8,  9,  11,  14,  15,  16,  17,  21,  22].  Second,  we  show  how  to  eliminate  redundant  constraints  in 
A  and  obtain  a  new  constraint  set  6  whose  size  grows  linearly  with  the  size  of  the  computational  expansion. 
The  definitions  of  B  and  6  immediately  yield  a  simple  algorithm  for  verifying  the  proper  operation  of  any 
circuit  that  computes  for  only  a  finite  number  of  steps.  The  algorithm  is  quite  general,  and  is  applicable 
to  circuits  using  nonperiodic  clock  sets.  In  addition,  some  of  these  results  are  used  in  Section  6,  where  we 
describe  an  algorithm  for  verifying  the  proper  operation  of  circuits  that  compute  indefinitely  with  periodic 
clock  sets. 

5.1  Base  Step  Functions 

The  base  step  function  greatly  affects  the  usefulness  of  the  constraint  set  A.  Ideally,  the  constraints  in  A 
would  be  a  necessary  and  sufficient  set  of  conditions  for  the  proper  operation  of  a  circuit.  Unfortunately, 
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whereas  any  base  step  function  yields  constraints  that  are  sufficient  for  proper  circuit  operation,  most  base 
step  functions  yield  constraints  that  are  not  necessary;  a  circuit  may  operate  properly  even  if  it  violates  some 
of  the  constraints.  In  general,  the  constraints  in  A  are  not  a  necessary  set  of  conditions  unless  the  base  step 
function  is  essentially  equal  to  S*.  Consequently,  computing  a  necessary  and  sufficient  set  of  conditions  is 
unlikely  to  be  computationally  tractable,  since  a  simple  reduction  from  boolean  satisfiability  [7]  shows  that 
the  problem  of  computing  B*  is  NP-hard. 

In  some  cases,  it  is  possible  to  order  different  base  step  functions  according  to  how  closely  the  set  of 
constraints  that  they  yield  approximates  a  set  of  necessary  conditions.  Specifically,  a  base  step  function  B  is 
less  strict  than  another  base  step  function  S',  if  all  circuits  that  meet  the  A-constraints  yielded  by  B'  also 
meet  the  A-constraints  yielded  by  B,  but  some  circuits  that  meet  the  A-constraints  yielded  by  B  may  not 
meet  the  A-constraints  yielded  by  B' .  Intuitively,  B  is  less  strict  than  S',  if  it  disqualifies  fewer  properly 
operating  circuits. 

The  delay  constraint  equations  used  by  previous  timing  verifiers  loosely  corresponds  to  the  A-constraints 
yielded  by  the  following  recursive  base  step  function; 

'  maX(u,„)gE  Btrad(“i^)  if  Jt  ^  —1.  and  v  is  a  functional  element 

fltradft'i  ^  ~  1)  if  Jb  ^  —1,  and  v  is  a  latch  whose  clock  is 

Low  during  step  k 

if  /b  ^  —  1,  and  v  is  a  latch  whose  clock  is 
Low  during  step  k  —  1  and 
High  during  step  k 

max(fltrad(“.  ^  ~  l)i  Btrad(“.  ^))  if  ib  ^  — 1,  (u,  t»)  g  S,  and  r  is  a  latch 

whose  clock  is  High  during  steps  ib  —  1  and  k 

,  -1  if  *=  -1 

Ignoring  the  last  “initialization”  case,  the  function  Btrad  essentially  states  that  functional  elements  find  their 
base  steps  by  taking  the  maximum  over  the  base  steps  of  all  components  that  are  inputs  to  them.  Latches 
whose  clocks  are  Low  have  a  constant  base  step,  while  latches  whose  clocks  change  from  Low  to  High 
change  base  step  to  the  step  after  the  clock  transition  occurs,  and  behave  like  functional  elements  as  long  as 
their  clocks  remain  High.  Unfortunately,  the  function  fltrad  always  disqualifies  the  circuit  shown  in  Figure  2, 
because  of  the  apparent  delay  constraint  violation  mentioned  in  Section  1. 

A  more  sophisticated  base  step  function  results  in  a  set  of  A-constraints  which  disqualifies  fewer  properly 
operating  circuits  than  previous  timing  verification  algorithms.  Previous  algorithms  essentially  assume  that 
the  output  of  a  latch  changes  whenever  its  clock  changes  from  Low  to  High.  This  assumption  is  unnecessary, 
since  the  base  step  of  the  input  to  the  latch  provides  a  much  more  reasonable  indication  of  whether  a  change 
in  the  output  has  occurred.  One  base  step  function  B  which  incorporates  this  idea  is  recursively  defined  as 
follows: 

max^u,v)££;  B{u,k)  if  ib  ^  —1,  and  v  is  a  functional  element 

B{v,  ib— 1)  ifib^— 1,  and  v  is  a  latch  whose  clock  is 

Low  during  step  k 

B{v,  lb  —  1)  if  ib  ^  — 1,  (u,  u)  g  B,  t)  is  a  latch  whose 

clock  is  High  during  step  k,  and 
B{v,k-  1)  >  B(u,k) 

k  if  ib  5^  —  1,  (u,  v)  g  E,  t)  is  a  latch  whose 

clock  is  High  during  step  ib,  and 
B(v,  k  —  1)  <  B(u,  k) 

k  if  ib  ^  —  1,  and  v  is  a  latch  whose  clock  is 

High  during  step  k  and  Low  during  steps 
—  1  through  ib  —  1 

-1  ifib  =  -l 

The  base  step  function  B  differs  from  Btrad  in  the  way  it  handles  a  latch  whose  clock  changes  value  from 
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Low  to  High.  Rather  than  assume  a  change  in  the  base  step  of  a  latch  whose  clock  changes  value  from 
Low  to  High,  B  considers  whether  the  base  step  of  the  input  has  changed  since  the  step  when  the  clock 
last  changed  from  High  to  Low.  If  the  base  step  of  the  input  has  not  changed,  then  the  value  that  passes 
through  the  latch  when  the  clock  becomes  High  will  be  the  same  value  that  was  latched  when  the  clock  last 
became  Low.  In  such  a  case,  no  change  to  the  base  step  of  the  latch  is  necessary.  Inductive  arguments  can 
be  used  to  show  that  the  function  B  is  an  expanding  base  step  function.  Unlike  Strad,  B  does  not  disqualify 
the  circuit  in  Figure  2. 

The  fifth  clause  in  the  definition  of  B  reflects  an  assumption  that  the  output  of  a  latch  whose  clock  is 
initially  Low  always  changes  value  the  first  time  that  the  clock  for  the  latch  becomes  High.  This  assumption 
is  by  no  means  arbitrary,  since  it  greatly  simplifies  the  verification  of  circuits  that  use  periodic  clock  sets.  In 
Section  6,  we  will  discuss  the  implications  of  thi^ assumption,  and  possibilities  for  how  it  can  be  removed. 

Not  surprisingly,  it  is  possible  to  show  that  B  is  less  strict  than  Strad-  The  proof  makes  use  of  the  fact 
that  i  >  j  implies  that  B{v,i)  >  B{v,j)  and  fitrad(«', »)  >  fltrad(t',j),  both  base  step  functions  are 
monotone.  In  fact,  it  is  possible  to  show  the  following  general  lemma: 

Lemma  5.1  If  B  and  B'  are  two  monotone  base  step  functions,  and  B(v,k)  <  B'(v,k)  for  all  components 
i'  and  steps  k,  then  all  circuits  that  meet  the  A-constratnts  yielded  by  B'  also  meet  the  A-constraints  yielded 
by  B. 

Proof:  We  show  that  any  circuit  that  does  not  meet  the  A-constraints  yielded  by  B  also  does  not  meet  the 
A-constraints  yielded  by  S'.  Let  >  d{<T)  be  a  violated  A-constraint  yielded  by  B,  where  the  path  <t 

is  from  uj  to  u,  ,  and  Vi  has  down-time  and  Uj  has  up-time  tj.  We  show  that  the  computational  expansion 
yielded  by  S'  contains  a  path  <r'  from  some  «„  to  some  Um,  such  that  Vm  has  down-time  <*,  u„  has  up-time 
<„  greater  than  or  equal  to  tj  and  the  total  delay  along  <r'  is  equal  to  the  total  delay  along  a.  Such  a  a' 
directly  implies  the  violation  of  a  A-constraint  yielded  by  S'. 

We  demonstrate  the  existence  of  <t'  with  an  explicit  construction.  Each  node  in  a  has  a  corresponding 
node  in  a' .  The  construction  begins  with  a  node  that  corresponds  to  u;  in  a  and  inductively  proceeds 
backwards  along  a  path  that  eventually  becomes  <t'.  Successive  pairs  of  corresponding  components  maintain 
the  invariant  that  the  node  in  <t  is  never  in  a  higher  level  than  the  corresponding  node  in  <r'. 

To  find  the  node  Um  that  corresponds  to  Vi,  simply  note  that  u,  has  a  down-time  of  t*  only  if  S(v,  F)  =  i. 
Thus,  we  let  Vm  be  such  that  B'(v,  k)  =  m.  We  know  that  m  >  i,  since  the  result  of  S'  is  greater  than  or 
equal  to  the  result  of  S  for  any  component-step  pair. 

Given  any  corresponding  pair  of  nodes  in  <r  and  <r',  the  next  corresponding  pair  of  nodes  is  found  by 
simply  tracing  back  through  the  respective  computational  expansions.  Let  Wp  and  Wj  be  a  corresponding 
pair  of  nodes  in  (t  and  cr',  respectively.  If  the  component  before  Wp  in  is  Xr,  then  the  component  before 
Wg  in  (t'  is  X,,  where  B'{x,q)  =  s.  The  conditions  of  the  lemma  specify  that  B'{x,q)  >  B{x,q).  In  addition, 
since  the  invariant  between  corresponding  pairs  of  nodes  guarantees  that  q  >  p,  the  monotonicity  of  S 
implies  that  B{x,q)  >  B(x,p).  Consequently,  since  B{x,p)  =  r,  we  can  conclude  that  s  >  r,  and  thus  that 
Xr  and  X,  maintain  the  invariant  between  pairs  of  nodes. 

The  final  a'  can  be  used  to  identify  a  violated  A-constraint  yielded  by  B' .  By  construction,  the  total 
delay  along  a'  must  be  equal  to  the  total  delay  along  <r.  In  addition,  since  B'{v,  k)  =  m,  the  last  node  Vm  in 
cr'  must  have  a  down-time  of  t*.  Finally,  the  invariant  between  corresponding  nodes  in  cr  and  a'  guarantees 
that  the  first  node  u„  in  a'  cannot  be  in  a  lower  level  of  the  computational  expansion  than  the  first  node  Uj  of 
<r,  and  thus,  that  u„  must  have  a  up-time  <n  that  is  greater  than  or  equal  to  the  up-time  of  uj.  Consequently, 
the  fact  that  the  A-constraint  associated  with  (t  is  violated,  directly  implies  that  the  A-constraint  associated 
with  cr'  must  also  be  violated.  | 

Corollary  5.1  B  is  less  strict  than  Btrad 

Proof:  As  noted  earlier,  Btrad  disqualifies  the  circuit  shown  in  Figure  2,  while  B  does  not.  In  addition,  one 
can  shown  that  both  B  and  Btrad  are  monotone,  and  thus  the  corollary  follows  immediately  from  Lemma  5.1. 

■ 

While  not  necessary  for  all  of  the  results  in  this  paper,  monotonicity  is  a  natural  property  for  a  base  step 
function  to  have,  since  any  base  step  function  B  which  is  not  monotone  can  easily  be  transformed  into  a 
monotone  base  step  function  B'  by  simply  letting  B'{v,j)  =  B{v,i)  whenever  B{v,i)  <  B{v,j)  for  i  >  j.  A 
simple  check  of  the  definition  of  base  step  shows  that  the  function  B'  is  still  a  base  step  function,  since  the 
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fact  that  B{v,  i)  <  B{v,j)  directly  implies  that  B{v,i)  is  also  a  base  step  for  the  pair  (v,j).  Computational 
expansions  generated  with  monotone  base  step  functions  are  monotone  computational  expansions. 

5.2  Removing  redundant  constraints 

Careful  examination  suggests  that  the  majority  of  the  constraints  in  A  are  redundant.  Consider,  for  example, 
the  A-constraints  for  the  computational  expansion  shown  in  Figure  4.  The  down-time  18  that  is  associated 
with  Dj  is  part  of  three  A-constraints;  18-1  >2-5  +  4,  18  -  7  >  5  +  4  and  18  -  10  >  5.  Observe,  however, 
that  if  we  rewrite  the  constraints  as  18  >2-5  +  4+ 1,  18  >5  +  4  +  7  and  18  >  5  +  10,  it  is  apparent  that 
if  the  down-time  associated  with  Dr  is  large  enough  to  satisfy  the  second  of  the  three  constraints,  then  the 
down-time  satisfies  the  other  two  constraints  as  well.  Thus,  the  first  and  last  of  the  three  constraints  are 
redundant. 

In  order  to  avoid  such  redundancies,  we  formulate  a  derived  constraint  set  S.  Consider  the  set  of  all 
constraints  in  A  that  correspond  to  paths  ending  at  a  particular  node  u*  in  the  computational  expansion. 
Each  constraint  is  of  the  form  ti  —  ti  >  d(tT),  where  ti  is  the  down-time  associated  with  I’t  and  t,  is  the 
up-time  associated  with  the  first  node  in  the  path  <r.  If  a  particular  constraint  is  such  that  the  quantity 
t,  +  d(«T)  is  maximal,  then  that  constraint  is  defined  to  be  a  S-constraint  of  Vk.  The  constraint  set  6  contains 
one  6-constraint  for  each  node  in  the  computational  expansion.  Certainly,  all  constraints  in  A  are  met  if 
and  only  if  all  constraints  in  6  are  met. 

The  attractive  feature  of  S  is  that  the  constraints  that  it  contains  are  easy  to  generate,  and  check, 
whenever  a  monotone  base  step  function  is  used.  The  key  observation  is  that  the  maximal  quantity  <,  +d(<r) 
exists  for  all  nodes  in  the  computational  expansion,  not  just  latches  with  associated  down-times.  Let  t;*  be 
any  node  in  a  computational  expansion  generated  with  a  monotone  base  step  function.  If  (T  is  a  path  to  I't 
from  a  latch  with  an  associated  up-time  such  that  the  quantity  ti  +  d{(T)  is  maximal,  then  the  quantity 
db{vk)  =  ti  +  d(<T)  is  the  down-time  bound  of  Vk-  The  down-time  bound  db(vk)  is  simple  to  calculate,  using 
the  following  recursive  definition: 

d(vk)  +  maX(u,  db(ui))  if  Vk  is  a  functional  element, 

max{ db(ui),tk)  if  Vk  is  latch  with  associated 

up-time  tk  and  (ui,Vk)  6  Bex, 

— oo  if  F  =  —  1. 

If  the  down-time  associated  with  any  node  is  greater  than  the  down-time  bound  of  the  node,  then  the  6- 
constraints  for  the  node  are  certainly  met.  The  last  clause  in  the  equation  reflects  our  assumption  that  all 
clocks  have  a  constant  value  during  step  —I,  j.e.,  over  the  interval  [— oo,<o]-  The  clause  could  be  modified 
to  reflect  different  assumptions  about  how  a  circuit  is  initialized. 

5.3  A  verification  algorithm  for  finite  clocking  schemes 

Algorithm  Finite  takes  a  circuit  G  =  (V,  E)  and  a  clock  set  and  verifies  in  0{{\V\  +  |£’|)/C)  time  whether 
the  G  operates  properly  for  the  first  K  steps  of  $.  Using  the  base  step  function  B,  Algorithm  Finite 
constructs  the  first  K  levels  of  the  computational  expansion  of  G  and  checks  the  6-constraints  of  each  node. 
Only  0(1  F I  +  |E|)  working  space  is  needed,  since  nodes  in  the  computational  expansion  are  generated  and 
discarded  throughout  the  course  of  the  algorithm.  Total  space  required  is  0(|F|  +  |£|  +  however, 

since  specification  of  the  clocks  may  require  0(|<J|A)  additional  space. 

Algorithm  Finite  generates,  level  by  level,  the  nodes  in  the  computational  expansion  Gex,  checking 
6-constraints  as  nodes  are  g^erated.  The  algorithm  begins  by  generating  level  —1  of  Gex  and  computing 
for  each  node  the  values  of  B  and  db.  Level  0  of  the  Gex  is  then  generated  using  the  definitions  of  B  and 
up-time,  and  6-constraints  of  nodes  in  level  0  are  checked  using  the  definitions  of  db  and  down-time.  Nodes 
and  their  6-constraints  in  subsequent  levels  of  Gex  are  generated  and  checked  in  a  like  manner.  Observe, 
however,  that  the  generation  of  nodes  and  constraints  in  level  (ib  +  1)  of  Gex  only  requires  the  quantities  B 
and  db  for  nodes  Vi,  where  i  =  B{v,k).  Consequently,  a  node  u,  in  Gex  can  be  discarded,  and  its  storage 
reused,  whenever  a  new  node  Vj  is  generated  for  a  higher  level  of  Gex-  Observe,  that  Vi  could  not  be 
discarded,  if  B  were  not  monotone. 


Algorithm  Finite 


1  FOR  each  component  v  DO 

2  IF  V  is  latch  whose  clock  is  Low  during  —  I’*  step 

3  THEN 

4  u.B  < - 1 

5  v.db  < - oo 

6  V. Updated  <—  TRUE 

7  ELSE 

8  V.  Updated  <—  False 

9  FOR  LEVEL  = -I  TO  K  DO 

10  FOR  eiM:h  component  v  DO 

11  Update(«, LEVEL) 

12  FOR  each  component  v  DO 

13  IF  V  is  a  latch  whose  clock  is  High  during  step 

14  LEVEL  and  is  Low  during  step  LEVEL  +  1 

15  THEN 

16  DownTime  <- 

17  IF  DownTime  <  v.di 

18  THEN 

19  TIMING-FAULT  —  True 

20  FOR  each  component  v  DO 

21  V.  Updated  FklsE 


Figure  12:  Algorithm  FINITE  takes  a  circuit  G  =  {V,E)  and  a  clock  set  and  verifies  in  0((|V|  -f  |£|)/C)  time  that  G  operates 
properly  for  the  first  K  steps  of  <t. 


Routine  Update 

1  IF  V.  Updated  =  True  or 

2  V  a  latch  whose  clock  is  Low  during  step  LEVEL 

2  THEN 

3  V.  Updated  <—  TRUE 

4  RETURN 

5  ELSE 

6  FOR  each  u  such  that  (u.u)  €  E 

7  DO 

8  Update(u,  LEVEL) 

9  IF  u  is  a  functional  element 

10  THEN 

11  u.B  <— max(u  u.B 

12  ELSEIF  V  is  a  lattii  whose  clock  is  High  during  step  LEVEL  and 

13  v.B  >  u.B,  where  (u,  u)  €  E 

14  THEN 

15  v.B  «—  u.B 

16  ELSEIF  V  is  a  latch  whose  clock  is  High  during  step  LEVEL  and 

17  v.B  <  u.B  ,  where  (u,v)  £  E 

18  THEN 

19  v.B  —  LEVEL 

20  u.il6  <— u.d -1- max(„ 

21  IF  v.db  <  IleveL  *tid  v.B  =  LEVEL 

22  THEN 

23  v.db  «-  IlEVEL 

24  V.  Updated  «—  TRUE 

25  RETURN 


Figure  13:  Routine  Update  routine  takes  v  and  LEVEL  as  arguments  and  updates  the  variables  v.B  and  v.di  using  the 
definitions  for  stable  configuration  and  tail  weight. 
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Figure  12  shows  Algorithm  Finite.  The  global  variable  LEVEL  indicates  the  level  of  Gcx  currently  being 
worked  on,  and  v.B,  v.db,  v.d,  and  v.  Updated  are  fields  of  a  record  that  holds  data  for  component  v  g  V'. 
The  fields  v.B,  v.db  and  v.d  store  the  base  step,  down-time  bound  and  propagation  delay,  respectively,  for 
i'  during  the  step  corresponding  to  LEVEL,  and  the  variable  v.  Updated  is  a  flag  that  indicates  whether  v.B 
and  v.db  have  been  updated  from  the  values  for  the  previous  level  of  Gcx-  Lines  1-8  set  v.B  and  v.db  to  the 
initial  values  specified  by  the  definitions  of  B  and  down-time  bound.  Lines  10-19  generate  nodes  and  test 
6-constraints  for  a  single  level  of  Gcx-  The  subroutine  UPDATE,  is  shown  in  Figure  13,  and  computes  v.B 
and  v.db  for  the  level  of  Gcx  being  worked  on.  Update  is  implemented  recursively,  with  a  straightforward 
coding  of  the  recursive  definitions  of  B  and  db. 

For  each  level  of  Gcx,  the  total  time  needed  to  perform  all  calls  to  UPDATE  is  0(|V'|  -I-  [El),  or  0(\E\) 
if  G  is  connected.  To  show  this,  we  break  the  calls  to  UPDATE  into  two  categories.  Calls  to  UPDATE 
that  terminate  because  v  has  already  been  updated  are  cheap,  and  calls  that  actually  calculate  new  values 
for  v.B  and  v.db  are  expensive.  Cheap  calls  require  only  constant  time  and  are  charged  a  single  unit  of 
time.  Expensive  calls  make  recursive  calls  to  Update,  and  then  perform  computations  that  require  time 
proportional  to  the  number  of  edges  to  v.  The  Ume  required  for  the  recursive  calls  is  charged  to  those  calls, 
while  the  time  required  to  actually  compute  v.B  and  v.db  is  charged  to  the  call  itself.  For  any  component, 
only  a  single  expensive  call  is  ever  made.  Consequently,  the  total  time  required  for  all  expansive  calls  is 
0(1V^1  1£|).  Similarly,  since  each  component  makes  at  most  one  cheap  call  for  each  input,  the  total  time 

required  for  all  cheap  calls  is  also  0{\V\  -I-  |E|). 

Algorithm  Finite  runs  in  0((|U|  -V  |E|)A')  time  and  0(jU|  -f  |E|  -I-  I^IA)  space.  Except  for  the  calls  to 
Update,  the  time  bound  for  the  internal  loop,  Lines  10-21,  of  Algorithm  Finite  is  (9(|U|).  Thus,  since  the 
total  time  needed  for  all  calls  to  UPDATE  can  be  shown  to  be  0(1V|  -f-  |E|)  for  each  level  of  Gcx,  the  total 
time  needed  by  Algorithm  Finite  is  0((|U|  -I-  |E|)A.').  Algorithm  Finite  requires  storage  for  a  constant 
number  of  variables  per  component  in  G,  the  structure  of  G  itself  and  the  clock  values  for  K  steps.  Thus 
the  total  space  required  is  0{\V\  -f  |E|  -f  I^IA"). 

6  Verifying  circuits  with  periodic  clock  sets 

In  this  section,  we  examine  how  all  constraints  in  A  can  be  checked  in  the  practical  case  of  circuits  with 
periodic  clock  sets.  In  particular,  we  describe  how,  for  periodic  clock  sets,  the  infinite  number  of  constraints 
in  A  can  be  checked  in  polynomial  time.  The  method  partitions  the  computational  expansion  into  subgraphs, 
or  frames,  which  are  essentially  the  computational  expansions  of  individual  clock  periods.  Constraints  in 
A  are  then  divided  into  internal  constraints  that  correspond  to  paths  within  individual  frames,  and  cross 
constra:'  "^s  that  correspond  to  paths  that  include  nodes  from  multiple  frames.  Violated  constraints  of  either 
type  can  be  detected  by  searching  for  negative  weight  paths  in  an  augmented  copy  of  a  single  “pessimistic” 
frame.  The  methods  we  describe  immediately  lead  to  an  algorithm  for  verifying  the  proper  operation  of 
periodically  clocked  circuits. 

6.1  FVames  of  Computational  Expansions 

The  period  ;r  of  a  clock  set  $  provides  a  natural  partition  of  the  constraint  set  A.  For  any  time  t.  if 
<  =  to  +  jx  -I-  X  where  j  is  a  nonnegative  integer  and  0  <  x  <  tt,  then  t  is  in  the  jth  period  of  $  and  x  is 
the  offset  of  time  t.  A  A-constraint  is  a  internal  constraint,  if  the  corresponding  up-time  and  down-time  of 
the  constraint  are  both  in  the  same  clock  period.  A  A-constraint  is  a  cross  constraint,  if  the  corresponding 
up-time  and  down-time  of  the  constraint  are  in  different  clock  periods.  Observe,  that  since  times  less  than 
<0  are  not  part  of  any  period,  A-constraints  with  corresponding  up-times  of  — oo  (i.e.,  t_i)  are  technically 
neither  internal  constraints  nor  cross  constraints.  This  boundary  condition  artifact  is  of  no  consequence, 
however,  since  A-constraints  with  corresponding  up-times  of  — oo  can  never  be  violated. 

The  period  ir  of  a  clock  set  $  also  provides  a  natural  partitioi  "'f  a  computational  expansion.  We  define 
the  kth  contour  of  the  computational  expansion  to  be  all  nodes  Uj  such  that  i  =  B(v,  k).  For  any  nonnegative 
integer  j,  the  jth  frame  of  the  computational  expansion  is  the  vertex  induced  subgraph  of  Gcx  containing 
all  nodes  in  contours  (jP)  to  (jP  -I-  (P  -  1)),  where  P  is  the  number  of  steps  in  the  time  interval  (<o,  <o  +  ’f] 
Observe  that  a  particular  contour  may  contain  nodes  from  several  different  levels,  and  may  share  nodes  with 
other  contours.  Internal  constraints  must  correspond  to  paths  that  are  completely  contained  within  a  single 
frame,  while  cross  constraints  must  correspond  to  paths  that  include  nodes  from  two  or  more  frames. 
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Figure  14:  Computational  expansion  frame  for  the  circuit  from  Figure  2.  The  slacks  for  the  frame  are  listed  in  Table  1. 
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Figure  14  shows  the  first  frame  of  the  computational  expansion  generated  by  B  for  the  circuit  from 
Figure  2.  Nodes  in  different  levels  of  the  computational  expansion  are  separated  by  dashed  lines.  All  latches 
in  a  particular  level  must  have  identical  up-times,  and  in  this  relatively  simple  example  all  latches  in  a 
particular  level  also  have  identical  down-times.  Consequently,  the  up-times  and  down-times  of  the  various 
latches  can  be  read  from  the  dashed  lines  that  enclose  the  latch.  The  0th  contour  consists  of  all  the  nodes  in 
level  —1,  while  the  Pth  (i.e.,  10th)  contour  consists  of  all  the  darkly  shaded  nodes.  Observe  that  the  10th 
contour  contains  nodes  from  levels  9,  7,  5,  and  3,  and  shares  nodes  with  contours  3  through  9.  In  fart,  for 
the  example  shown,  contours  (P  —  1)  and  P  are  identical. 

The  key  to  checking  the  infinite  number  of  A-constraints,  in  an  amount  of  time  which  is  polynomial  in 
the  size  of  a  given  circuit,  is  the  fact  that  it  is  sometimes  possible  to  isolate  a  single  “pessimistic”  frame  of  a 
computational  expansion.  For  convenience,  we  extend  the  definitions  of  “period”  and  “offset”  so  that  they 
apply  to  steps  as  well  as  times.  For  nonnegative  integers  i,  j,  and  k,  if  i  —  jP  +  k  where  k  <  P,  then  step  i 
of  <I>  is  in  the  jth  period  of  $  and  k  is  the  offset  of  step  i.  Frame  j  of  a  computational  expansion  generated 
with  base  step  function  B  is  strict,  if  for  all  components  v,  periods  n,  and  offsets  k, 

{B{v,jP  +  k)  jP  +  k)  ^  {B(v,nP  ->r  k)  ^  nP  +  k) . 

The  equation  essentially  states  that  if  the  base  step  function  for  a  component  v  does  not  change  value  at 
a  particular  offset  k  into  a  strict  frame,  then  the  bcise  step  function  for  v  cannot  change  value  at  offset  k 
into  any  other  frame.  Intuitively,  a  frame  is  strict  if  component  outputs  change  more  frequently  during  that 
frame  than  during  any  other  frame. 

An  alternate  way  to  define  a  strict  frame  would  be  to  require  that  all  components  have  “more  recent” 
base  steps  during  that  frame  than  during  any  other  frame.  Formally,  frame  j  is  strict,  if  for  all  components 
V,  periods  n,  and  offsets  k,  [{nP  +  k)  —  B{v,nP  +  A)]  >  [(jf*  -f  —  B{v,jP  -f  i)],  i.e.,  the  differences 
between  steps  and  base  steps  are  minimized  during  a  strict  frame.  The  two  definitions  are  not  identical, 
since  frames  that  are  strict  by  the  first  definition  may  not  be  strict  by  the  alternat.'-  definition.  Consider, 
for  example,  a  computational  expansion  Gcx  generated  with  Strad-  Since  Btrad  “makes  a  copy”  of  a  latch 
each  time  that  the  clock  of  the  latch  changes  value  from  Low  to  High,  the  fact  that  the  clock  set  is  periodic 
implies  that  all  frames  in  Gcx  are  strict  by  the  first  definition.  Observe,  however,  that  not  all  frames  in 
Gcx  are  identical.  In  particular,  the  first  contour  of  frame  0  is,  in  general,  different  from  the  first  contour 
of  any  other  frame,  due  to  step  —1  boundary  condition,  and  in  fact  only  frame  0  would  be  considered  to  be 
strict  by  the  alternate  definition.  It  can  be  shown,  however,  that  the  two  definitions  are  identical,  except 
for  such  boundary  cases  involving  nodes  in  the  first  contour  of  frame  0.  Given  the  fact  that  A-constraints 
with  corresponding  up-times  of  — oo  can  never  be  violated,  the  first  definition  of  strictness  is  preferred  for 
its  wider  applicability. 

For  the  base  step  function  B,  frame  0  is  strict.  In  fact,  it  is  possible  to  show  the  somewhat  stronger 
property  that  for  all  components  u,  and  offsets  i,  the  difference  between  (kP  4-  i)  and  B(v,  kP  -f  i)  can  only 
increase  from  one  frame  to  the  next. 

Lemma  6.1  If  ^  is  a  clock  set  with  P  steps  «n  each  period,  then  for  any  component  v  and  step  k  >0, 

B(v,k)  >  B{v,k  +  P)  -  P. 


Proof:  The  lemma  certainly  holds  for  it  =  —  1,  since  for  any  component  v  the  definition  of  B  states  that 
B{v,  — 1)  =  — 1,  and  B{v,  —1  -f  P)  can  be  at  most  P  —  1,  i.e.,  less  than  or  equal  to  B{v,  —1)  -I-  P. 

If  the  lemma  holds  for  all  steps  less  than  k,  and  i;  is  a  latch  whose  clock  is  Low  during  step  k^  then  the 
lemma  holds  trivially  for  v  and  k.  If  u  is  a  latch  whose  clock  is  Low  during  step  k,  then  B{v,  k)  =  B{v,  t  —  1). 
Similarly,  since  the  clock  of  v  must  also  be  Low  during  step  k+P,  B(v,  k+P)  =  B(v,  k-\-P—l).  Consequently, 
B{v,  k)  >  B(v,  k  +  P)  -  P,  since  by  assumption  B{v,  k  —  \)  >  B{v,  k  —  I  +  P)  -  P. 

Given  that  the  lemma  holds  at  step  k  for  latches  whose  clocks  are  Low  during  step  k,  a  simple  proof- 
by-contradiction  shows  that  the  lemma  holds  at  step  k  for  all  components.  Assume  that  the  lemma  fails 
to  hold  for  some  component  at  step  k.  The  lemma  can  only  fail  to  hold  for  functional  elements  or  latches 
whose  clocks  are  High  during  step  k.  In  addition,  since  we  consider  only  fully  synchronous  clock  sets,  there 
must  exist  some  component  v  for  which  the  lemma  holds  for  any  component  u  whose  output  is  an  input  to 
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V,  but  fails  for  v  itself.  Let  v  be  such  a  component,  and  consider  the  different  cases  from  the  definition  of  B. 
If  n  is  a  functional  element,  then  the  lemma  must  hold  for  v,  since  the  assumption  that  the  lemma  holds  for 
any  input  u,  implies  that 

majc  B(u,  ^)  >  (  max  B{u,  k  +  P)]  —  P. 

(u,v)eE  \(u,«)6£  J 

If  V  is  a  latch  where  either  B(v,k  —  1)  <  B{u,k)  or  the  clock  of  v  is  Low  during  steps  —1  through  k  —  I, 
then  B(v,k)  =  k,  and  thus,  since  B(v,k  +  P)  can  be  at  most  k  +  P,  we  have  B{v,k)  >  B(v,k  +  P)  —  P 
and  the  lemma  must  hold  for  v.  If  u  is  a  latch  where  B(v,  k  —  \)  >  B{u,  k).  then  there  are  two  subcases  to 
consider.  The  first  is  when  B{v,  k  —  I  +  P)  >  B{u,  k  +  P).  In  this  case,  one  can  show  that  the  lemma  holds 
for  V,  since  B(v,  k)  =  B{v,  k  —  1),  B(v,  k  +  P)  =  B{v,  k  -  I  +  P),  and  B(v,  k  —  1)  >  B[v,k  -  1  +  P)  -  P, 
The  second  subcase  is  when  B(v,k  —  1  +  P)  <  B{u,k  +  P).  Here,  a  formal  proof  i"  somewhat  involved 
but  the  general  strategy  is  to  show  that  no  v  can  fall  into  this  subcase.  More  specitically,  it  is  possible  to 
show  that  if  B{v,k  —  1  +  P)  <  B{u,k  +  P),  then  either  the  clock  of  v  is  Low  for  some  inter' al  of  time 
(f,  tk+p)  which  includes  step  B(u,  k  +  P),  or  B(u,  k  +  P)  =  k  +  P.  If  B(u,  k  +  P)  =  k  +  P,  then  we  can 
show  that  B(v,k  —  1)  >  k,  which  is  clearly  absurd.  If  the  clock  of  v  is  Low  for  some  interval  of  time 
{t,  h+\),  which  includes  step  B{u,  k  d-  P),  then  the  assumption  that  B{u,  k  j  >  B{u,  k+  P)  —  P  implies  that 
B(v,k  -  1)  <  B{u,k),  contradicting  the  premise  that  B(v,k  -  1)  >  B(u,k).  | 

The  proof  of  Lemma  6.1  requires  the  assumption,  mentioned  ii.  Section  5.1,  that  the  output  of  a  latch 
whose  clock  is  initial'y  Low,  always  changes  value  the  first  Ome  that  the  clock  for  the  latch  becomes 
High.  The  assumption  provides  a  basis  for  the  inductic  used  to  prove  Lemma  6.1  and  in  turn  makes  the 
identification  of  a  strict  frame  simple.  If  the  assumption  were  removed  and  replaced  with  a  specification 
of  initial  base  steps  for  components,  then  a  strict  frame  may  be  difficult  to  identify,  and,  indeed,  may  not 
even  exist.  In  such  cases,  however,  it  is  gene'  dly  possible  to  construct  a  strict  pseudoframe,  t.e.,  one  that 
is  more  strict  than  any  actual  frame  in  the  f ;  mputational  expansion,  but  that  does  not  itself  exist  in  the 
computational  expansion.  Of  course,  the  generally  “pessimistic”  nature  of  such  a  pseudoframe  may  lead  to 
the  disqualification  of  some  ^ypes  of  properly  operating  cb^Uios. 

6.2  Internal  Constraints 

To  check  all  internal  constraints,  is  sufficient  to  just  check  the  internal  constraints  of  a  single  strict 
frame.  Given  '  -'mma  6.1,  the  following  theorem  essentially  .  tates  that  any  violated  internal  constraint  of  a 
compute)'  onal  expansion  generated  with  B  can  be  detected  by  checking  the  internal  constraints  of  frame  0. 

Theorem  .  If  a  frame  of  a  monotone  computational  expansion  is  strict,  then  all  internal  constraints  for 
all  jrames  c  s  met  if  and  only  if  the  internal  constraints  for  the  strict  frame  are  met. 

Proof:  Let  frame  j  be  strict.  All  internal  constraints  are  met  only  if  the  internal  constraints  in  frame  j  are 
met,  since  the  internal  constraints  in  frame  j  are  in  fact  internal  constraints  in  the  computational  expansion. 
1  ddition,  since  frame  j  is  strict,  an  argument  similar  to  the  one  used  to  prove  Lemma  5.1  shows  that  all 
internal  constraints  in  the  original  computational  expansion  met  whenever  all  internal  constraints  in  frame 
j  are  met.  | 

6.3  Cross  Constraints 

Strict  frames  can  also  be  used  to  check  cross  constraints.  A  cross  constraint  corresponds  to  a  path  a  which 
includes  nodes  from  multiple  frames  of  the  computational  expansion.  Observe,  that  all  the  nodes  from  a 
particular  frame  i  form  a  subpath  (t,  of  cr,  and  each  (Tj  contributes  some  delay  to  the  cross  constraint,  while 
intuitively,  the  fact  that  cTj  includes  nodes  from  different  contours  of  the  computational  expansion  implies 
that  <Ti  contributes  some  time  to  the  “down-time  to  up-time”  part  of  the  cross  constraint.  The  first  subpath 
of  tr  contributes  its  delay,  and  the  amount  of  time  between  the  up-time  of  the  first  node  in  the  path  and  the 
end  of  the  clock  period  containing  the  up-time.  The  last  subpath  of  <t  contributes  its  delay,  and  the  amount 
of  time  between  the  down-time  of  the  last  node  in  the  path  and  the  start  of  the  clock  period  containing  the 
down-time.  Other  subpaths  contribute  their  delay,  and  the  amount  of  time  contained  in  a  full  clock  period. 
By  summing  all  the  contributed  delays  and  times,  we  can  obtain  the  complete  cross  constraint. 
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Given  a  frame  that  begins  with  contour  k,  the  slacks  for  the  frame  encode  the  worst  case  delay-and- 
time  contributions  of  subpaths  in  the  frame.  The  clock  period  tt*  associated  with  the  frame  is  the  interval 
{h<tk+p),  and  is  of  length  tt.  For  any  node  Vi  in  first  contour  of  the  frame,  if  cr  is  a  path  from  i',  to  any 

latch  in  the  frame  such  that  the  quantity  (t  —  tk)  —  d{a)  is  minimized,  where  t  G  Trjt  is  a  down-time  associated 

def 

with  the  latch,  then  the  quantity  head{v)  =  {t  —  Ik)  —  d(c)  is  the  head  slack  of  the  component  corresponding 
to  i',  .  Similarly,  for  any  node  uj  in  the  first  contour  immediately  after  the  frame,  if  <t  is  the  path  from 
any  latch  in  the  frame  such  that  the  quantity  (tk+p  —  t)  —  (d((T)  —  d{uj))  is  minimized,  where  i  G  tt*  is  a 

def 

up-time  cissociated  with  the  latch,  then  the  quantity  tail(u)  =  (tk+p  —  t)  —  (d{a)  —  d{uj))  is  the  tail  slack 
of  the  component  corresponding  to  uj .  Finally,  for  any  node  t’,  ,  in  first  contour  of  the  frame,  and  node 
Uj ,  in  the  first  contour  immediately  after  the  frame,  if  cr  is  a  path  from  i’,-  to  uj  such  that  the  quantity 

def 

TT  —  (d{a)  —  d(uj))  IS  minimized,  then  the  quantity  frame(v,  u)  =  tt  —  ((i((r)  —  d{uj))  is  the  frame  slack  of  the 
pair  of  components  corresponding  to  Vi  and  Uj.  If  no  path  exists  between  Vi  and  uj,  then  there  is  no  frame 
slack  for  the  pair  (v,  u).  Similarly,  no  head  slack  (or  tail  slack)  exists  for  component  v  if  no  paths  exist  to  (or 
from)  nodes  with  associated  down-times  (or  up-times).  Intuitively,  the  slacks  are  the  worst-case  differences 
between  the  available  amount  of  time  for  nodes  along  a  path  in  the  frame  to  compute  and  the  amount  of 
time  that  they  require. 
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Table  1:  Frame  slacks,  head  slacks,  and  tail  slacks  for  the  frame  shown  in  Figure  14. 

The  slacks  for  the  frame  shown  in  Figure  14  can  be  read  from  Table  1.  For  example,  the  table  states 
that  head(A)  =  —4.  Referring  back  to  Figure  14,  it  is  apparent  that  this  is  indeed  the  case,  since  Gi  has 
a  down-time  of  3,  A-i  is  in  the  first  contour  of  the  frame,  and  there  exists  a  path  it  =  A-\^I\—*B\^G\ 
from  A-i  to  G\.  A  search  of  the  frame  demonstrates  that  cr  is  a  worst-case  path,  and  thus  head(A)  = 
(3  —  <o)  —  d(<T)  =  3  —  7  =  —4.  Similarly,  the  table  states  that  tail{A)  =  5.  Here,  the  worst-case  path  is 
cr'  =  Et—Aj,  and  thus  tail(A)  =  (fio  —  h)  —  (d(cr')  —  (^(Ar))  =  (18  —  13)  —  (6  —  6)  =  5.  Observe,  that 
while  Ay  is  part  of  the  shown  frame,  Aj  is  also  in  the  first  contour  of  the  next  frame,  i.e.,  the  10th  contour 
of  the  complete  computational  expansion.  As  a  final  example,  the  table  states  that  frame(A,  D)  =  —2. 
The  worst-case  path  is  cr"  =  A_i— */i— •£'3— ‘A3— ‘/s— ‘S.s— ‘Gs— ‘Cj— ‘/g— *£>9,  and  thus  frame(A,  D)  — 
X  -  (cf(cr")  -  d{D9))  =  18  -  20  =  -2. 

An  interesting  feature  of  frame  shown  in  Figure  14  is  that  a  large  number  of  slacks  do  not  exist,  as 
indicated  by  the  dashes  in  Table  1.  For  example,  no  slacks  at  all  are  shown  for  latch  F.  This  is  not 
surprising,  given  the  structure  of  the  frame.  Observe,  that  no  paths  in  the  frame  lead  from  F_i  (i.e.,  the 
copy  of  F  in  the  first  contour  of  the  frame)  to  any  other  latches.  Consequently,  no  head  slack  exists  for  F. 
Also,  there  is  no  path  in  the  frame  from  F_i  to  any  component  in  the  first  contour  of  the  next  frame,  so  no 
frame  slacks  exist  for  F.  Finally,  since  the  up-time  associated  with  J_i  is  outside  the  clock  period  for  the 
frame,  and  7_i— ‘D_i— ‘F3  is  the  only  path  from  some  other  latch  in  the  frame  to  the  copy  F3  of  F  in  the 
first  contour  of  the  next  frame,  no  tail  slack  exists  for  F. 

If  there  exists  a  strict  frame,  then  all  cross  constraints  can  be  checked  by  examining  sequences  of  slacks. 
Let  s  =  v,u,w, . . .  ,x,y  be  any  sequence  of  components,  possibly  with  more  than  a  single  occurrence  of  a 
particular  component.  If  the  slacks  of  frame  j  are  such  that 

tail{v)  -I-  frame(v,  u)  A  frame(u,  iw)  -1-  . . .  -f  frame{x,  y)  -f-  head(y)  <  0, 
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then  s  is  a  negative  slack  sequence  for  frame  j. 

Theorem  6.2  If  a  cross  constraint  in  a  monotone  computational  expansion  is  violated,  and  there  exists  a 
strict  frame,  then  either  the  strict  frame  contains  a  violated  internal  constraint  or  there  exists  a  negative 
slack  sequence  for  the  frame. 

Proof:  The  theorem  can  be  proved  with  methods  similar  to  those  used  in  Theorem  6.1,  but  making  use 
of  a  new  base  step  function  Bj .  If  frame  j  of  a  computational  expansion  generated  with  some  monotone 
base  step  function  S  is  strict,  then  the  base  step  function  Bj  essentially  specifies  for  every  component  step 
pair  {v,nP  +  i)  a  base  step  I  such  that  the  number  of  steps  between  nP  +  i  and  I  is  always  the  same  as  the 
number  of  steps  between  step  {jP  +  i)  and  the  base  step  for  v  at  step  {jP  +  i),  specified  by  B.  Thus,  the 
computational  expansion  generated  with  Bj  is  essentially  the  computational  expansion  that  would  result  if 
every  frame  “looked  like”  frame  j.  Formally,  for  any  period  n.  let  x(n)  =  nP  —  jP.  Now,  for  any  offset  i, 
and  component  v, 


B(v,jP  +  k)  if  n  =  j 

x{n)  +  maxo<t<,  B(v,jP  +  <:)  if  3k,  such  that  0  <  it  <  i  and 

Biv,jP  +  k)=}P-rk 

x{n)  —  P  +  maxo<k<p  Blv,jP  +  k)  otherwise. 


In  order  to  preserve  initial  conditions,  Bj{v,—l)  =  B(v,—l)  for  any  component  v.  It  is  tempting  to  think 
that  Bj{v,  nP  +  i)  could  be  defined  as  x(n)  +  B(jP  +  i).  The  problem,  not  surprisingly,  is  with  boundary 
conditions.  For  example,  if  B  =  B,  and  j  =  0,  the  naive  definition  would  specify  that  Bj{v,P)  =  P  -  1 
for  all  V.  This  specification  would  probably  be  inconsistent,  since  for  some  v  it  is  almost  certain  that 
B{v,P-  1)  ^  P  -  1. 

Unfortunately,  if  frame  j  is  not  the  same  as  frame  0,  then  the  definition  of  Bj  might  reference  nonexistent 
steps  that  are  “before”  step  0.  Such  references  to  nonexistent  steps  can  be  resolved  by  adding  a  finite  number 
of  suitable  additional  steps  before  step  0.  Let  level  i  be  the  earliest  level  that  contains  nodes  in  frame  j. 
Level  i  corresponds  to  step  so  we  can  add  the  needed  steps  by  replacing  each  clock  <i>  with  an 

augmented  clock  4>' ,  that  is  defined  as  follows; 


if  t  >  to, 

<t>{-oo) 

if  t  €  [-00,  to  -  (tjp  -  t,)), 

<t>(t  -t-  t) 

if  t€(to-(Ui’-t.),to]. 

Observe,  that  the  number  of  additional  steps  in  <f>'  must  be  less  than  the  number  of  steps  in  a  single  period 
of  d>,  or  else  frame  j  could  certainly  not  have  been  strict.  By  assuming  the  augmented  clocks,  and  using 
arguments  similar  to  those  in  the  proof  to  Lemma  3.1,  Bj  can  be  shown  to  be  an  expanding  monotone  base 
step  function  which  by  Lemma  5.1  is  more  strict  than  the  original  base  step  function  B. 

The  fact  that  slacks  correspond  to  minimal  time-minus-delay  pairs,  implies  that  whenever  there  exists 
a  violated  cross  constraint  in  the  computational  expansion  Gcxj  generated  by  Bj,  there  must  also  exist  a 
negative  slack  sequence  for  frame  j.  The  path  cr  in  Gcxj  that  corresponds  to  the  violated  '■onstraint,  can  be 
broken  into  subpaths  <tj,  cr2,  <73, ... ,  (t„,  where  each  subpath  only  contains  nodes  from  successive  frames.  Let 

denote  the  first  node  in  (T,  .  If  is  a  copy  of  component  u,  then  the  definition  of  head  slack  guarantees 
that  head{u)  <  tdown  —  d((r„),  where  <(jou,n  is  the  amount  of  time  between  the  start  of  the  clock  period 
associated  with  (t„,  and  the  down-time  associated  with  the  last  node  in  (t„.  Similarly,  if  is  a  copy  of 
component  w,  then  the  definition  of  tail  slack  guarantees  that  tail(w)  <  t„p  —d((Ti),  where  t^p  is  the  amount 
of  time  between  the  the  up-time  of  and  the  end  of  the  clock  period  associated  with  cri.  Finally,  for 
i  =  2, 3, . . . ,  n  —  1,  if  is  a  copy  of  component  u  and  is  a  copy  of  component  w,  then  the  definition  of 

frame  slack  guarantees  that  frame(u,  w)  <  ir  —  d((Ti).  The  fact  that  <t  corresponds  to  a  constraint  violation 
implies  that  the  sum  of  the  quantities  tup  -  d(<Ti),  ir  -  d{(T2),  . . .,  x  -  and  tjown  -  d{a„)  must  be 

negative,  and  thus,  . . . ,  is  a  negative  slack  sequence  . 

The  remainder  of  the  proof  uses  arguments  similar  to  those  in  Lemma  5.1.  As  in  the  proof  of  Lemma  5.1, 
it  can  be  shown  that  a  violated  cross  constraint  in  the  original  computational  expansion  Gcx  implies  a 
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violated  constraint  in  the  computational  expansion  Gcxj  generated  by  Bj .  Let  <7  be  the  path  corresponding 
to  the  violated  constraint  in  Gcx-  By  “backtracking”  through  the  two  computational  expansions,  a  path 
<t'  in  Gcxj  can  be  constructed,  where  by  the  monotonicity  of  B  and  Bj,  tr'  also  corresponds  to  a  violated 
constraint.  Now,  if  a'  corresponds  to  an  internal  constraint,  then  the  definition  of  Bj  implies  that  frame  j 
also  contains  a  violated  internal  constraint.  Also,  if  <r'  corresponds  to  a  cross  constraint,  then  there  exists  a 
negative  slack  sequence  for  frame  j.  | 

Lemma  6.1  implies  that  Theorem  6.2  can  be  applied  to  computational  expansions  generated  with  B.  in 
addition,  an  inductive  argument  similar  to  that  used^to  prove  Lemma  5.1  can  be  used  to  show  that  the 
converse  of  Theorem  6.2  holds  for  the  special  case  of  B.  Unfortunately,  the  converse  of  Theorem  6.2  is  not 
true  in  general,  and  consequently,  there  exist  base  step  functions  where  a  negative  slack  sequence  may  exist 
even  when  no  A-constraint  in  the  computational  expansion  is  violated.  Even  in  such  cases,  however,  the 
timing  analysis  based  on  the  slacks  is  “safe”  in  the  sense  that  the  presence  of  a  violated  A-constraint  is  never 
overlooked. 

Negative  slack  sequences  can  be  detected  using  an  augmented  copy  of  a  frame.  Given  a  circuit  G  =  (V,E), 
a  corresponding  computational  expansion  Gcx  =  {^cx,  Ecx),  and  a  frame  Gf  =  (Vf.Ef)  of  Gcx-  let 
contour  k  be  the  first  contour  in  Gf-  The  A-constraint  graph  for  the  frame  Gf  is  the  graph  G/^  =  (lA.  E^). 
where 

Va  =  {vi  ;  Ui  €  Vf}  U  {u,  :  u  €  U}  U  {s,  <}U 
{uj*'  •.  t)i  €  Vf  with  up-time  tup}U 
{vl*"  :  Vi  £  Vf  with  down-time  t^n), 

:  vl*'  G  Va}U 

{(u,,  Uj)  ;  Vj  is  in  contour  k  of  Gcx}U 

{(uj,  Ut)  ;  Uj  is  in  contour  (jb-|-(P—  1))  of  Gcx, 

(uj,vi)  G  Ecx  and  t/j  is  in  contour  (k  -I-  P)  of  Gcx}U 
{(!;*■'',<)  :  v‘/"  €  14 }U 

Each  Vi  €  Vf  has  a  propagation  delay  equal  to  —d{v),  each  has  a  propagation  delay  equal  to  tt,  each  r'*' 
has  a  propagation  delay  equal  to  —{tup  mod  ir),  each  ul'*"  has  a  propagation  delay  equal  to  (<d„  mod  it)  and 
both  s  and  t  have  propagation  delays  equal  to  0. 

The  A-constraint  graph  G^  has  been  constructed  so  that  the  propagation  delays  along  certain  paths 
are  equal  to  the  slacks  of  the  original  frame  j.  For  example,  if  head{v)  exists,  then  there  must  exist  a 
path  <7  in  frame  j,  from  u,  in  the  first  contour  of  frame  j  to  some  latch  uj,  with  down  time  tm,  such  that 
(<m  —  ■  j))  —  d{cr)  is  exactly  equal  to  head{v).  Thus,  since  <7  must  also  exist  in  Ga,  and  the  delay  of 

wj"  is  defined  to  be  {tm  mod  x),  which  in  turn  equals  {tm  —  {x  j)),  the  total  delay  along  the  path  formed 
by  appending  the  edge  («;,«,*”)  onto  the  end  of  <7  must  be  equal  to  head{v).  For  similar  reasons,  if  tail{v) 
exists,  then  there  must  exist  a  path  <t  in  Ga  from  some  «,•’*  to  some  v^,  such  that  d{cr)  is  exactly  equal  to 
tail{v).  Finally,  if  frame{v,u)  exists,  then  there  must  exist  in  Ga  a  path  (7  =  from  v,  in  the  first 

contour  of  frame  j  to  u,  such  that  d{(7)  =  frame(v, «).  A  path  in  Ga  whose  total  propagation  delay  must, 
by  construction,  be  equal  to  some  slack  is  a  slack  path. 

If  there  exists  a  strict  frame,  then  all  A-constraints  can  be  checked  by  running  any  of  the  standard 
shortest  paths  algorithms  on  the  A-constraint  graph  Ga  for  the  strict  frame.  A  constructive  argument  can 
be  used  to  show  that  if  there  exists  a  negative  slack  sequence,  then  Ga  contains  a  negative-weight  path 
from  s  to  t.  In  addition,  violated  internal  constraints  also  imply  negative- weight  paths  from  s  to  t.  Thus, 
by  Theorems  6.2  and  6.1,  all  A-constraints  can  be  checked  by  finding  the  least- weight  path  from  s  to  <  and 
comparing  the  weight  of  that  path  to  0. 

Theorem  6.3  If  a  A-constraint  in  a  monotone  computational  expansion  is  violated,  and  frame  j  is  strict, 
then  the  A-constraint  graph  Ga  for  frame  j  contains  a  negative-weight  path  from  s  to  t. 

Proof;  Consider  first  the  case  of  a  violated  internal  constraint  t*  —  t,  >  d{(r),  where  <r  is  a  path  from  u; 
to  Uj  within  some  frame,  Uj  has  up-time  tj,  and  Uj  has  down-time  t*.  By  Theorem  6.1,  there  must  also 
exist  a  violated  internal  constraint  tn  —  t/  >  d{<7'),  where  er'  is  a  path  from  v/  to  Um  within  the  strict  frame, 
Vi  has  up-time  t;,  Um  has  down-time  tn,  and  d{(7')  =  d{a).  Now,  Ga  must,  by  definition,  also  contain  the 
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path  <t',  but  where  the  weight  of  a'  is  equal  to  —d(tT).  (Recall,  that  propagation  delays  are  negated  in  the 
definition  of  G^.)  In  addition,  Ga  must  contain  a  path  s—vj‘—*vi,  whose  weight  is  — {</  mod  tt),  and  a  path 
Urn— t,  whose  weight  is  (<„  mod  jt).  Now,  all  three  of  these  paths,  can  be  combined  to  form  a  single 
path  from  s  to  t  whose  weight  is  d((T')  +  (In  mod  ir)  —  (ti  mod  tt).  Since  the  constraint  is  internal,  however, 
the  quantity  ((i„  mod  tt)  —  (<;  mod  tt))  =  (t„  —  //),  and  thus  the  fact  that  the  constraint  is  violated  directly 
implies  that  the  weight  of  the  combined  path  is  less  than  0. 

The  argument  for  violated  cross  constraints  is  similar  to  the  argument  for  internal  constraints.  First, 
if  there  exists  a  violated  cross  constraint,  then  by  Theorem  6.2,  either  the  strict  frame  contains  a  violated 
internal  constraint,  or  the  there  exists  a  negative  slack  sequence.  It  has  already  been  shown  that  violated 
internal  constraints  imply  a  negative-weight  path  from  s  to  t,  so  all  that  remains  to  be  shown  is  that  the 
existence  of  a  negative  slack  sequence  also  implies  a  negative- weight  path  from  s  to  <. 

The  final  step  of  the  proof  is  to  show  that  the  slack  paths  corresponding  to  a  negative  slack  sequence  can 
be  combined  into  a  single  negative-weight  path  from  s  to  t.  Let  v,  u,  w, x.  y  be  the  implied  negative 
slack  sequence.  Since  tail{v)  exists,  there  must  exist  a  slack  path  a  in  Ga  from  some  u^*'  to  some  t;,,-  such 
that  d(cr)  is  exactly  equal  to  tail(v).  In  addition,  since  frame(v,u)  exists,  there  must  exist  in  Ga  a  slack 
path  cr'  =  Vi-^Ur  from  Vi  in  the  first  contour  of  frame  j  to  such  that  d(iT')  =  frame(v,  u).  Since  Vi  is  in 
the  first  contour  of  frame  j,  however,  Ea  contains  the  edge  (u,,,  u,),  and  thus  cr  and  cr'  can  be  combined  into 
a  single  path  whose  total  weight  is  equal  to  taU(v)  -(-  frame(v,‘u).  Continuing  in  this  fashion,  a  path  from 
s  to  <  can  be  constructed  whose  total  weight  is  equal  to 

taH(v)  -I-  frame(v,  u)  +  frame(u,  le)  -)-...  -I-  frame{x,  y)  +  head(y). 

Thus,  since  this  quantity  is  known  to  be  negative,  Ga  contains  a  negative- weight  path  from  s  to  <.  | 

One  difficulty  with  Theorem  6.3  is  that  it  puts  no  bound  on  the  length  of  the  implied  negative- weight 
path  from  s  to  t.  This  is  not  surprising,  since  the  negative- weight  path  corresponds  directly  to  the  presumed 
violated  A-constraint.  Indeed,  since  there  exist  circuits,  with  as  few  as  4  components,  that  can  operated  for 
an  arbitrary,  but  not  infinite,  number  of  clock  cycles  before  some  latch  fails  to  hold  its  proper  value,  it  is 
certain  that  the  length  of  the  implied  path  is  essentially  independent  of  the  size  of  the  circuit.  The  lack  of  a 
useful  bound  on  the  length  of  the  implied  path  indicates  that  a  brute  force  search  for  a  negative  weight  path 
from  s  to  t  would  not  be  an  efficient  way  to  perform  timing  verification.  Fortunately,  the  following  related 
lemma  helps  us  out  of  this  difficulty. 

Lemma  6.2  //Ga  contatns  a  negattve  weight  path  <r  from  s  to  t,  then  Ga  contains  a  path  cr'  of  length  less 
than  \V\P,  such  that  cr'  is  either  from  s  to  t  and  of  negative  weight,  or  from  s  to  some  other  vertex  and 
contains  a  negative  weight  cycle. 

Proof:  If  <T  is  of  length  less  than  jV'IP,  then  a'  =  cr.  If  cr  is  of  length  greater  than  or  equal  to  IV'IP,  then 
one  or  more  vertices  must  appear  more  than  once  in  cr,  and  thus  (t  must  contain  one  or  more  cycles.  Clearly, 
if  all  positive-weight  cycles  are  removed  from  <r,  the  resulting  path  <t"  is  still  from  s  to  t  and  has  negative 
weight.  If  cr"  is  of  length  less  than  |V^|P,  then  <t'  =  cr".  Otherwise,  the  path  cr'"  formed  by  taking  the  first 
IV'I  edges  in  cr"  must  itself  contain  a  cycle.  In  addition,  any  cycle  in  <t"'  must  have  negative  weight,  since  cr" 
contains  no  positive  cycles,  so  a'  =  rr'" .  | 

Lemma  6.2  is  essentially  the  last  step  in  an  argument  stating  that  a  standard  shortest-path  algorithm 
can  be  used  to  check  all  the  A-constraints  of  a  given  circuit.  Theorems  6.1  and  6.2  stated  that  any  violated 
A-constraint  could  be  detected  by  examining  a  single  strict  frame,  while  Lemma  61  confirmed  that  a  strict 
frame  existed  for  computational  expansions  generated  with  B.  Theorem  6.3  then  showed  that  the  necessary 
“examination”  of  the  strict  frame  could  be  performed  by  finding  the  shortest  path  between  two  nodes  in 
the  A-constraint  graph  for  a  strict  frame,  while  Lemma  6.2  showed  that  in  fact  the  general  search  for  a 
negative-weight  path  could  be  replaced  with  a  search  for  “short”  negative-weight  paths  of  a  particular  type. 
Thus,  the  lemma  completes  the  argument,  since  the  Bellman-Ford  shortest-path  algorithm  [12]  can  be  used 
to  detect  paths  of  precisely  this  type. 

6.4  A  verification  algorithm  for  circuits  with  periodic  clock  sets 

Algorithm  PERIODIC  takes  a  circuit  G  =  (V,  E)  and  a  periodic  clock  set  $  and  verifies  the  proper  operation 
of  G  in  0(1V'||E|P)  time  and  0((|V|  +  \E\  +  |^|)P)  space,  where  P  is  the  number  of  steps  in  a  single  period 
of  <t.  Since  P  is  generally  a  small  constant,  the  time  and  space  requirements  of  Algorithm  Periodic  are 
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Algorithm  Periodic 

1.  Construct  frame  0  of  the  computational  expansion. 

2.  Modify  frame  0  to  obtain  the  A-constraint  graph  for  frame  0. 

3.  Compute  the  shortest  path  from  s  to  t. 

4.  Check  A-constraints  by  comparing  0  to  the  shortest  path  from  s  to  t. 

Figure  15:  Algorithm  PERIODIC  verifies  the  proper  operation  of  a  circuit  G  =  {V,  E).  with  periodic  clock  set  <t,  inO((|V||£|P) 
time  and  0((|V|  +  \E\  +  |<t|)P)  space,  where  P  is  the  number  of  steps  in  a  single  period  of  <t. 


essentially  OdVIlE])  and  0(11^1+  lEI),  respectively.  Algorithm  Periodic  uses  the  results  of  Theorem  6.3 
and  Lemma  6.1  to  check  the  A-constraints  for  G.  The  time  intensive  part  of  Algorithm  Periodic  involves 
detecting  negative-weight  paths  in  the  A-constraint  graph  of  a  strict  frame. 

Figure  15  shows  a  high-level  statement  of  Algorithm  Periodic.  Given  a  level-clocked  circuit  G  =  (T,  E) 
and  a  clock  set  with  P  steps  per  period,  Algorithm  Periodic  checks  the  A-constraints  that  would  result 
if  the  P  steps  of  the  clocks  were  repeated  indefinitely.  All  A-constraints  are  checked  by  constructing  the 
A-constraint  graph  for  frame  0  and  then  using  a  single-pair  shortest-path  algorithm  to  check  for  a  negative- 
weight  path  from  s  to  t.  By  Theorem  6.3,  Algorithm  Periodic  checks  all  A-constraints. 

The  bulk  of  the  time  required  by  Algorithm  Periodic  goes  to  computing  the  shortest  path  from  s  to 
t  in  the  A-constraint  graph  for  frame  0.  The  construction  of  frame  0  and  its  A-constraint  graph  can  be 
performed  in  OCd^l  -I-  \E\)P)  time  and  0(1^1  4-  |£|  -t-  |<^|P)  space,  with  a  subroutine  similar  to  Algorithm 
Finite.  To  check  for  negative-weight  paths  from  s  to  t,  the  Bellman-Ford  shortest-path  algorithm  [12]  can 
be  used.  The  Bellman-Ford  algorithm  can  detect  paths  of  the  type  specified  by  Lemma  6.2  in  OdV'^IISal) 
time  and  OdV^I-l-lF'Al)  space.  Observe,  however,  that  |Va|  is  proportional  to  \V\P,  and  IFTaI  is  proportional 
to  \E\P,  so  the  time  and  space  bounds  can  be  restated  as  0{\V\\E\P'^)  and  0(dV'|  [EDP),  respectively. 

Using  a  modified  version  of  the  Bellman-Ford  algorithm,  however,  the  total  running  time  of  Algorithm 
Finite  can  be  reduced  to  0{\V\\E\P).  The  standard  Bellman-Ford  algorithm  can  be  conceptually  viewed 
as  a  series  of  “relaxation”  steps,  where  each  releixation  examines  every  edge  exactly  once.  The  number  of 
releixations  required  depends  on  the  order  in  which  edges  are  examined,  but  in  the  worst  case  each  relaxation 
only  determines  one  edge  in  the  “shortest  path”  being  sought,  so  \V\P  relaxations  are  needed  for  the  path  <t' 
implied  by  Lemma  6.2.  Thus,  since  there  are  \E\P  edges  to  examine,  the  total  running  time  for  the  standard 
Bellman-Ford  algorithm  would  be  OdUHPIP^).  It  is  possible  to  show,  however,  that  there  exists  another 
path,  analogous  to  cr',  that  can  be  found  in  |U|  relaxations,  if  edges  are  examined  in  a  special  order. 

The  new  required  new  path  can  be  shown  to  exist  using  arguments  similar  to  those  in  the  proof  of 
Lemma  6.2.  In  the  proof  of  Theorem  6.3,  it  was  shown  that  the  negative  weight  path  implied  by  the  theorem 
could  be  broken  into  subpaths,  where  each  subpath  corresponded  to  a  slack.  In  addition,  all  of  these  slack 
paths  have  less  than  |U|P  edges,  and  all  but  the  last  ends  on  some  vertex  v,.  Now,  by  repeating  the  argument 
from  the  proof  of  Lemma  6.2,  but  only  allowing  the  removal  of  complete  slack  paths,  it  is  not  difficult  to 
argue  that  there  exists  a  path  cr"  consisting  of  \V\  or  fewer  slack  paths,  such  that  either  a"  is  from  s  to  t 
and  of  negative  total  weight,  or  cr"  is  from  s  to  some  and  contains  a  negative  weight  cycle  that  includes 
some  Uf 

The  Bellman-Ford  algorithm  can  detect  the  existence  of  cr"  in  \V\  relaocations,  if  the  edges  in  E^  are 
examined  in  “topological”  order  [3,  19].  Technically,  since  G^  is  not  acyclic,  no  true  topological  order  exists 
for  the  edges  in  E^.  Fortunately,  it  is  possible  to  obtain  an  ordering  which  is  essentially  topological,  by 
removing  from  E^  all  edges  from  u,  vertices,  topologically  ordering  all  the  edges  that  remain,  and  then 
appending  to  the  topological  ordering  the  edges  from  vertices.  The  specific  ordering  of  the  edges  from 
Vr  vertices  is  unimportant.  Now,  since  no  slack  path  can  contain  an  edge  from  a  v,  vertex,  examining  the 
remaining  edges  in  the  order  that  they  appear  topologically  allows  the  Bellman-Ford  algorithm  to  “find”  an 
entire  slack  path  in  each  relaxation,  rather  than  just  a  single  edge.  Thus,  since  a"  consists  of  at  most  |V| 
slack  paths,  only  |U|  relsocations  are  needed,  and  algorithm  terminates  in  0(|U||£'|P)  time. 

Overall,  therefore.  Algorithm  Periodic  runs  in  0(\V\\E\P)  time  and  0((|U1  -f  |£|  -I-  l^l)/’)  space. 
In  practice,  both  P  and  |$|  are  small  constants,  so  our  time  and  space  bounds  become  0(1U||E|)  and 
0(\V\  4-  |E|),  respectively.  In  addition,  the  fanout  of  actual  circuit  components  is  generally  restricted  to  a 
small  constant,  so  we  expect  that  for  large  circuits  \E\  is  roughly  proportional  to  lU],  and  our  time  bound 
becomes  0{\V\'^).  As  a  practical  matter,  it  may  be  possible  to  obtain  nearly  linear  observed  running  times, 
by  computing  the  shortest  paths  using  the  ShortestPathTree  algorithm  presented  by  Tarjan  [19,  p.  92]. 
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When  edge  weights  are  integers,  efficient  “scaling”  algorithms  can  be  used  to  solve  the  single-source 
shortest-paths  problem.  For  graphs  with  negative  edge  weights,  the  algorithm  due  to  Gabow  and  Tarjan  [5] 
runs  in  0(\/V E\g{VW))  time,  where  W  is  the  magnitude  of  the  largest  magnitude  weight  of  any  edge  in 
the  graph. 

Often  in  practice,  multiple  clocks  are  derived  from  a  single  fundamental  clock,  and  it  is  of  great  interest 
to  know  the  maximum  frequency  of  the  fundamental  clock.  It  is  also  desirable  to  know  the  critical  path 
that  limits  this  frequency.  By  using  methods  similar  to  those  used  to  solve  the  Minimal  Cost-to-Time  Ratio 
Cycle  Problem  [12],  our  algorithm  can  be  adapted  to  determine,  in  polynomial  time,  the  maximum  clock 
frequency  and  its  associated  critical  path. 

In  order  to  test  the  real-world  practicality  of  Algorithm  PERIODIC,  an  experimental  timing  verification 
tool  CxClone  is  currently  under  development.  Once  completed,  CxClone  will  be  used  to  test  the  observed 
efficiency  of  Algorithm  Periodic  on  a  variety  of  solicited  academic  and  industrial  VLSI  circuits.  In  addition, 
by  incorporating  mechanisms  for  handling  standard  design  activities  such  as  “false  path”  disabling  and 
hierarchical  circuit  analysis  CxClone  will  be  used  to  explore  how  the  methods  presented  in  this  paper  can 
be  applied  in  an  integrated  design  environment. 

7  Conclusion 

This  paper  has  established  a  formal  framework  for  understanding  level  clocking  in  VLSI  systems.  A  key- 
idea  in  the  framework  is  the  use  of  a  base  step  function  to  capture  any  particular  set  of  timing  assumptions 
about  “when  things  change.”  The  computational  expansion  of  a  circuit  depends  on  the  results  of  the  base 
step  function,  but  not  on  the  details  of  how  those  results  are  computed.  Thus,  our  methodology  for  verifying 
circuits  applies  equally  well  to  any  set  of  timing  assumptions  that  can  be  expressed  in  terms  of  a  base  step 
function,  not  just  the  B  function  presented. 

The  framework  can  be  extended  to  address  many  design  concerns.  For  example,  the  framework  can  be 
extended  to  handle  noninstantaneous  clock  transitions  by  using  a  somewhat  more  complex  circuit  model  [10], 
and  making  suitable  modifications  to  the  definitions  of  B,  up-time  and  down-time.  Global  clock  skew  on  a 
chip  can  be  handled  in  a  similar  fashion.  Set-up  times  for  latches  can  also  be  checked  using  modifications  to 
the  definition  of  down-time,  but  the  checking  of  hold  times  for  latches  is  more  problematic,  since  we  do  not 
model  the  nonzero  minimum  propagation  delays  that  are  frequently  used  to  satisfy  hold  time  requirements. 
We  have  also  made  some  preliminary  studies  of  circuits  incorporating  multiplexors  whose  control  inputs  are 
periodic,  and  it  appears  that  our  framework  can  be  used  to  analyze  these  circuits  as  well. 

So-called  “two-sided”  timing  constraints,  in  which  functional  elements  have  minimum  propagation  delays, 
are  more  problematic.  For  the  “one-sided”  constraints  we  have  considered,  the  designer’s  intent  can  be 
inferred  by  letting  propagation  delays  go  to  0.  For  circuits  designed  with  two-sided  constraints,  the  isolation 
of  ideal  outputs  is  more  difficult.  We  are  currently  working  on  the  problem  of  verifying  circuits  with  two-sided 
constraints  u  ing  the  notions  of  base  step  functions  and  computational  expansion. 

Some  timing  analyzers  attempt  to  handle  circuits  with  data-dependent  delays:  propagation  delays  of 
functional  elements  that  depend  on  the  particular  values  of  inputs  to  the  element.  Our  method  of  computa¬ 
tional  expansion  applies  perfectly  well  to  the  analysis  of  such  circuits,  but  the  base  step  function  B  used  by 
our  algorithms  is,  unfortunately,  not  sophisticated  enough  to  cope  with  data-dependent  delays.  Whether  an 
efficiently  computable  base  step  function  can  be  developed  for  this  situation  is  an  open  research  question. 
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